CVE-2018-15612 - OpenCVE

A CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could allow an attacker to add, change, or remove administrative settings. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Avaya	Orchestration Designer

Configuration 1 [-]

cpe:2.3:a:avaya:orchestration_designer:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://downloads.avaya.com/css/P8/documents/101052293

History

No history.

MITRE

Status: PUBLISHED

Assigner: avaya

Published: 2018-09-21T18:00:00

Updated: 2024-08-05T10:01:54.357Z

Reserved: 2018-08-21T00:00:00

Link: CVE-2018-15612

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-09-21T17:29:05.610

Modified: 2019-10-09T23:35:45.737

Link: CVE-2018-15612

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Orchestration Designer", "vendor": "Avaya", "versions": [{"status": "affected", "version": "All versions up to 7.2.1"}]}], "datePublic": "2018-09-21T00:00:00", "descriptions": [{"lang": "en", "value": "A CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could allow an attacker to add, change, or remove administrative settings. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-09-21T17:57:01", "orgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "shortName": "avaya"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://downloads.avaya.com/css/P8/documents/101052293"}], "source": {"advisory": "ASA-2018-278"}, "title": "Orchestration Designer Runtime Config CSRF", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "securityalerts@avaya.com", "ID": "CVE-2018-15612", "STATE": "PUBLIC", "TITLE": "Orchestration Designer Runtime Config CSRF"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Orchestration Designer", "version": {"version_data": [{"version_value": "All versions up to 7.2.1"}]}}]}, "vendor_name": "Avaya"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could allow an attacker to add, change, or remove administrative settings. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://downloads.avaya.com/css/P8/documents/101052293", "refsource": "CONFIRM", "url": "https://downloads.avaya.com/css/P8/documents/101052293"}]}, "source": {"advisory": "ASA-2018-278"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T10:01:54.357Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://downloads.avaya.com/css/P8/documents/101052293"}]}]}, "cveMetadata": {"assignerOrgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "assignerShortName": "avaya", "cveId": "CVE-2018-15612", "datePublished": "2018-09-21T18:00:00", "dateReserved": "2018-08-21T00:00:00", "dateUpdated": "2024-08-05T10:01:54.357Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:avaya:orchestration_designer:*:*:*:*:*:*:*:*", "matchCriteriaId": "5DE6D345-FEE0-4BCC-8068-12597812DF4E", "versionEndExcluding": "7.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could allow an attacker to add, change, or remove administrative settings. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1."}, {"lang": "es", "value": "Una vulnerabilidad Cross-Site Request Forgery (CSRF) en el componente Runtime Config de Avaya Aura Orchestration Designer podr\u00eda permitir que un atacante a\u00f1ada, cambie o elimine configuraci\u00f3n de administrador. Las versiones afectadas de Avaya Aura Orchestration Designer son todas las versiones hasta la 7.2.1."}], "id": "CVE-2018-15612", "lastModified": "2019-10-09T23:35:45.737", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 6.0, "source": "securityalerts@avaya.com", "type": "Secondary"}]}, "published": "2018-09-21T17:29:05.610", "references": [{"source": "securityalerts@avaya.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://downloads.avaya.com/css/P8/documents/101052293"}], "sourceIdentifier": "securityalerts@avaya.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "securityalerts@avaya.com", "type": "Secondary"}]}