On an external penetration test earlier this year, OCD Tech came across an instance of Avaya’s IP Office Web Collaboration software on a client’s in-scope internet-facing system. This web-based software allows employees and external users to host and join meetings leveraging Avaya’s business Voice-over-IP (VoIP) software solutions. While use of the platform requires credentials, a login page was exposed to the internet to allow external users a means to join meetings. Via a dedicated review of this software, which was fully patched at the time of the test, the OCD Tech penetration testing team was able to identify a new cross site scripting vulnerability affecting the “Username” parameter of the login form. By injecting a specialized string into the username field, the OCD Tech team was able to execute arbitrary JavaScript in the context of the web browser. OCD Tech worked with the vendor to responsibly disclose the identified vulnerability, which was acknowledged and patched by Avaya within a reasonable timeframe. After the patch was made available to Avaya’s customers, a public disclosure of the vulnerability was released, and OCD Tech was awarded CVE-2019-7004 for the discovery of this cross site scripting vulnerability. OCD Tech prides itself on professional penetration testing services, and responsible disclosure of newly identified vulnerabilities. For more information, please see the following vulnerability disclosures:
The National Institute for Standards and Technology National Vulnerability Database
Mitre Common Vulnerabilities and Exposures Database:
Avaya Security Advisory (ASA-2019-213)
Congratulations to Daniel Bohan, OSCP of OCD Tech, for their discovery of this net-new vulnerability, and taking responsible steps to help Avaya secure their customer’s systems.
