Aggregates CVE and security vulnerability intelligence across all Avaya-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Common weakness patterns include vendor risk memory corruption, vendor risk xxe, vendor risk csrf, and vendor risk open redirect, with potential vendor impact session compromise across vendor surface production workloads use cases.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-49186 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks. | [email protected] | 5.3 | 0.29% | 2025-06-12 | 2026-02-03 |
| CVE-2025-1041 | An improper input validation discovered in Avaya Call Management System could allow an unauthorized remote command via a specially crafted web request. Affected versions include 18.x, 19.x prior to 19.2.0.7, and 20.x prior to 20.0.1.0. | [email protected] | 9.9 | 0.47% | 2025-06-10 | 2025-07-30 |
| CVE-2024-12756 | An HTML Injection vulnerability in Avaya Spaces may have allowed disclosure of sensitive information or modification of the page content seen by the user. | [email protected] | 7.3 | 0.05% | 2025-02-11 | 2025-10-01 |
| CVE-2024-12755 | A Cross-Site Scripting (XSS) vulnerability in Avaya Spaces may have allowed unauthorized code execution and potential disclose of sensitive information. | [email protected] | 7.9 | 0.07% | 2025-02-11 | 2025-07-29 |
| CVE-2024-7480 | An Improper access control vulnerability was found in Avaya Aura System Manager which could allow a command-line interface (CLI) user with administrative privileges to read arbitrary files on the system. Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support. | [email protected] | 4.2 | 0.06% | 2024-08-08 | 2025-10-01 |
| CVE-2024-7477 | A SQL injection vulnerability was found which could allow a command line interface (CLI) user with administrative privileges to execute arbitrary queries against the Avaya Aura System Manager database. Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support. | [email protected] | 6.5 | 0.12% | 2024-08-08 | 2024-09-11 |
| CVE-2024-4197 | An unrestricted file upload vulnerability in Avaya IP Office was discovered that could allow remote command or code execution via the One-X component. Affected versions include all versions prior to 11.1.3.1. | [email protected] | 9.9 | 0.55% | 2024-06-25 | 2025-01-21 |
| CVE-2024-4196 | An improper input validation vulnerability was discovered in Avaya IP Office that could allow remote command or code execution via a specially crafted web request to the Web Control component. Affected versions include all versions prior to 11.1.3.1. | [email protected] | 10.0 | 0.82% | 2024-06-25 | 2025-10-01 |
| CVE-2023-7031 | Insecure Direct Object Reference vulnerabilities were discovered in the Avaya Aura Experience Portal Manager which may allow partial information disclosure to an authenticated non-privileged user. Affected versions include 8.0.x and 8.1.x, prior to 8.1.2 patch 0402. Versions prior to 8.0 are end of manufacturer support. | [email protected] | 5.7 | 0.13% | 2024-01-17 | 2024-11-21 |
| CVE-2023-3722 | An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server user via a malicious uploaded file. This issue affects Avaya Aura Device Services version 8.1.4.0 and earlier. | [email protected] | 8.6 | 54.62% | 2023-07-19 | 2024-11-21 |
| CVE-2023-3527 | A CSV injection vulnerability was found in the Avaya Call Management System (CMS) Supervisor web application which allows a user with administrative privileges to input crafted data which, when exported to a CSV file, may attempt arbitrary command execution on the system used to open the file by a spreadsheet software such as Microsoft Excel. | [email protected] | 6.8 | 0.08% | 2023-07-18 | 2024-11-21 |
| CVE-2023-32218 | Avaya IX Workforce Engagement v15.2.7.1195 - CWE-601: URL Redirection to Untrusted Site ('Open Redirect') | [email protected] | 6.1 | 0.19% | 2023-05-30 | 2024-11-21 |
| CVE-2023-31187 | Avaya IX Workforce Engagement v15.2.7.1195 - CWE-522: Insufficiently Protected Credentials | [email protected] | 6.5 | 0.21% | 2023-05-30 | 2024-11-21 |
| CVE-2023-31186 | Avaya IX Workforce Engagement v15.2.7.1195 - User Enumeration - Observable Response Discrepancy | [email protected] | 5.3 | 0.22% | 2023-05-30 | 2024-11-21 |
| CVE-2022-38168 | Broken Access Control in User Authentication in Avaya Scopia Pathfinder 10 and 20 PTS version 8.3.7.0.4 allows remote unauthenticated attackers to bypass the login page, access sensitive information, and reset user passwords via URL modification. | [email protected] | 9.1 | 0.51% | 2022-11-03 | 2025-05-02 |
| CVE-2022-2249 | Privilege escalation related vulnerabilities were discovered in Avaya Aura Communication Manager that may allow local administrative users to escalate their privileges. This issue affects Communication Manager versions 8.0.0.0 through 8.1.3.3 and 10.1.0.0. | [email protected] | 7.7 | 0.06% | 2022-10-12 | 2024-11-21 |
| CVE-2022-2975 | A vulnerability related to weak permissions was detected in Avaya Aura Application Enablement Services web application, allowing an administrative user to modify accounts leading to execution of arbitrary code as the root user. This issue affects Application Enablement Services versions 8.0.0.0 through 8.1.3.4 and 10.1.0.0 through 10.1.0.1. Versions prior to 8.0.0.0 are end of manufacturing support and were not evaluated. | [email protected] | 7.7 | 0.05% | 2022-10-06 | 2024-11-21 |
| CVE-2021-25657 | A privilege escalation vulnerability was discovered in Avaya IP Office Admin Lite and USB Creator that may potentially allow a local user to escalate privileges. This issue affects Admin Lite and USB Creator 11.1 Feature Pack 2 Service Pack 1 and earlier versions. | [email protected] | 7.8 | 0.11% | 2022-09-02 | 2024-11-21 |
| CVE-2021-25654 | An arbitrary code execution vulnerability was discovered in Avaya Aura Device Services that may potentially allow a local user to execute specially crafted scripts. Affects 7.0 through 8.1.4.0 versions of Avaya Aura Device Services. | [email protected] | 6.2 | 0.21% | 2021-06-25 | 2024-11-21 |
| CVE-2021-25656 | Stored XSS injection vulnerabilities were discovered in the Avaya Aura Experience Portal Web management which could allow an authenticated user to potentially disclose sensitive information. Affected versions include 7.0 through 7.2.3 (without hotfix) and 8.0.0 (without hotfix). | [email protected] | 5.3 | 0.15% | 2021-06-24 | 2024-11-21 |