CVE-2018-15614

A vulnerability in the one-x Portal component of IP Office could allow an authenticated user to perform stored cross site scripting attacks via fields in the Conference Scheduler Service that could affect other application users. Affected versions of IP Office include 10.0 through 10.1 SP3 and 11.0 versions prior to 11.0 SP1.

Published: Jan 23, 2019
Updated: Apr 13, 2023
CVE: CVE-2018-15614
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
avaya / ip_office	10.1-sp1	10.1-sp1.x
avaya / ip_office	10.1-sp2	10.1-sp2.x
avaya / ip_office	10.1	10.1.x
avaya / ip_office	10.0-sp1	10.0-sp1.x
avaya / ip_office	10.0-sp2	10.0-sp2.x
avaya / ip_office	10.0-sp3	10.0-sp3.x
avaya / ip_office	10.0-sp4	10.0-sp4.x
avaya / ip_office	10.0-sp5	10.0-sp5.x
avaya / ip_office	10.0-sp6	10.0-sp6.x
avaya / ip_office	10.0-sp7	10.0-sp7.x
avaya / ip_office	10.0	10.0.x
avaya / ip_office	11.0	11.0.x
avaya / ip_office	10.1-sp3	10.1-sp3.x

https://downloads.avaya.com/css/P8/documents/101054317

Vulnerability Database

289,697

CVE-2018-15614