CVE-2020-7036 - OpenCVE

An XML External Entities (XXE)vulnerability in Callback Assist could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Callback Assist includes all 4.0.x versions before 4.7.1.1 Patch 7.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Avaya	Callback Assist

Configuration 1 [-]

OR	cpe:2.3:a:avaya:callback_assist::::::::
	cpe:2.3:a:avaya:callback_assist:4.7.1.1:-::::::
	cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch1::::::
	cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch2::::::
	cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch3::::::
	cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch4::::::
	cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch5::::::
	cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch6::::::

No data.

References

Link	Providers
https://downloads.avaya.com/css/P8/documents/101075450

History

Tue, 17 Sep 2024 02:00:00 +0000

Type	Values Removed	Values Added
Title	XXE in Avaya Callback Assist Administration	XXE in Avaya Callback Assist Administration

MITRE

Status: PUBLISHED

Assigner: avaya

Published: 2021-04-23T21:00:20.925071Z

Updated: 2024-09-17T01:45:37.197Z

Reserved: 2020-01-14T00:00:00

Link: CVE-2020-7036

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-04-23T21:15:08.090

Modified: 2021-04-30T16:51:04.737

Link: CVE-2020-7036

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Callback Assist", "vendor": "Avaya", "versions": [{"lessThan": "4.7.1.1", "status": "affected", "version": "4.0.x", "versionType": "custom"}]}], "datePublic": "2021-04-23T00:00:00", "descriptions": [{"lang": "en", "value": "An XML External Entities (XXE)vulnerability in Callback Assist could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Callback Assist includes all 4.0.x versions before 4.7.1.1 Patch 7."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-23T21:00:20", "orgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "shortName": "avaya"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://downloads.avaya.com/css/P8/documents/101075450"}], "source": {"advisory": "ASA-2021-030"}, "title": "XXE in Avaya Callback Assist Administration", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "securityalerts@avaya.com", "DATE_PUBLIC": "2021-04-23T06:00:00.000Z", "ID": "CVE-2020-7036", "STATE": "PUBLIC", "TITLE": "XXE in Avaya Callback Assist Administration"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Callback Assist", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_name": "4.0.x", "version_value": "4.7.1.1"}]}}]}, "vendor_name": "Avaya"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An XML External Entities (XXE)vulnerability in Callback Assist could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Callback Assist includes all 4.0.x versions before 4.7.1.1 Patch 7."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-611: Improper Restriction of XML External Entity Reference"}]}]}, "references": {"reference_data": [{"name": "https://downloads.avaya.com/css/P8/documents/101075450", "refsource": "CONFIRM", "url": "https://downloads.avaya.com/css/P8/documents/101075450"}]}, "source": {"advisory": "ASA-2021-030"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:18:02.844Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://downloads.avaya.com/css/P8/documents/101075450"}]}]}, "cveMetadata": {"assignerOrgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "assignerShortName": "avaya", "cveId": "CVE-2020-7036", "datePublished": "2021-04-23T21:00:20.925071Z", "dateReserved": "2020-01-14T00:00:00", "dateUpdated": "2024-09-17T01:45:37.197Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:avaya:callback_assist:*:*:*:*:*:*:*:*", "matchCriteriaId": "0EEE274C-40A3-4A32-A49F-FC048765D3E7", "versionEndExcluding": "4.7.1.1", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:avaya:callback_assist:4.7.1.1:-:*:*:*:*:*:*", "matchCriteriaId": "3E4CD687-13D3-4B9A-A381-0DCB330E70A8", "vulnerable": true}, {"criteria": "cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch1:*:*:*:*:*:*", "matchCriteriaId": "ADFF164B-33E9-4B08-8B49-23BE779D3A20", "vulnerable": true}, {"criteria": "cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch2:*:*:*:*:*:*", "matchCriteriaId": "4FFD00E2-1E17-4FD4-9920-5D9BCFB51C7A", "vulnerable": true}, {"criteria": "cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch3:*:*:*:*:*:*", "matchCriteriaId": "E0DEC261-79BD-4D94-AD45-B99E940A436D", "vulnerable": true}, {"criteria": "cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch4:*:*:*:*:*:*", "matchCriteriaId": "B43D5CB2-AE98-4999-8525-5AC3DC046939", "vulnerable": true}, {"criteria": "cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch5:*:*:*:*:*:*", "matchCriteriaId": "9C3F89D3-02E7-4FFB-89B8-91B84368597B", "vulnerable": true}, {"criteria": "cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch6:*:*:*:*:*:*", "matchCriteriaId": "124184AA-27D4-4094-B419-A67678C42E13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An XML External Entities (XXE)vulnerability in Callback Assist could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Callback Assist includes all 4.0.x versions before 4.7.1.1 Patch 7."}, {"lang": "es", "value": "Una vulnerabilidad XML External Entities (XXE) en Callback Assist, podr\u00eda permitir a un atacante remoto autenticado conseguir acceso de lectura a la informaci\u00f3n que es almacenada en un sistema afectado. Las versiones afectadas de Callback Assist incluyen todas las versiones 4.0.x anteriores a 4.7.1.1 Patch 7"}], "id": "CVE-2020-7036", "lastModified": "2021-04-30T16:51:04.737", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "securityalerts@avaya.com", "type": "Secondary"}]}, "published": "2021-04-23T21:15:08.090", "references": [{"source": "securityalerts@avaya.com", "tags": ["Vendor Advisory"], "url": "https://downloads.avaya.com/css/P8/documents/101075450"}], "sourceIdentifier": "securityalerts@avaya.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-611"}], "source": "securityalerts@avaya.com", "type": "Secondary"}]}