CVE-2020-7036 - OpenCVE

An XML External Entities (XXE)vulnerability in Callback Assist could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Callback Assist includes all 4.0.x versions before 4.7.1.1 Patch 7.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Avaya	Callback Assist

Configuration 1 [-]

OR	cpe:2.3:a:avaya:callback_assist::::::::
	cpe:2.3:a:avaya:callback_assist:4.7.1.1:-::::::
	cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch1::::::
	cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch2::::::
	cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch3::::::
	cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch4::::::
	cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch5::::::
	cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch6::::::

References

Link	Resource
https://downloads.avaya.com/css/P8/documents/101075450	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: avaya

Published: 2021-04-23T00:00:00

Updated: 2021-04-23T21:00:20

Reserved: 2020-01-14T00:00:00

Link: CVE-2020-7036

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-04-23T21:15:08.090

Modified: 2021-04-30T16:51:04.737

Link: CVE-2020-7036

JSON object: View

Redhat Information

No data.

CWE

CWE-611

{"containers": {"cna": {"affected": [{"product": "Callback Assist", "vendor": "Avaya", "versions": [{"lessThan": "4.7.1.1", "status": "affected", "version": "4.0.x", "versionType": "custom"}]}], "datePublic": "2021-04-23T00:00:00", "descriptions": [{"lang": "en", "value": "An XML External Entities (XXE)vulnerability in Callback Assist could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Callback Assist includes all 4.0.x versions before 4.7.1.1 Patch 7."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference\n", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-23T21:00:20", "orgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "shortName": "avaya"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://downloads.avaya.com/css/P8/documents/101075450"}], "source": {"advisory": "ASA-2021-030"}, "title": "XXE in Avaya Callback Assist Administration ", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "securityalerts@avaya.com", "DATE_PUBLIC": "2021-04-23T06:00:00.000Z", "ID": "CVE-2020-7036", "STATE": "PUBLIC", "TITLE": "XXE in Avaya Callback Assist Administration "}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Callback Assist", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_name": "4.0.x", "version_value": "4.7.1.1"}]}}]}, "vendor_name": "Avaya"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An XML External Entities (XXE)vulnerability in Callback Assist could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Callback Assist includes all 4.0.x versions before 4.7.1.1 Patch 7."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-611: Improper Restriction of XML External Entity Reference\n"}]}]}, "references": {"reference_data": [{"name": "https://downloads.avaya.com/css/P8/documents/101075450", "refsource": "CONFIRM", "url": "https://downloads.avaya.com/css/P8/documents/101075450"}]}, "source": {"advisory": "ASA-2021-030"}}}}, "cveMetadata": {"assignerOrgId": "9d670455-bdb5-4cca-a883-5914865f5d96", "assignerShortName": "avaya", "cveId": "CVE-2020-7036", "datePublished": "2021-04-23T00:00:00", "dateReserved": "2020-01-14T00:00:00", "dateUpdated": "2021-04-23T21:00:20", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:avaya:callback_assist:*:*:*:*:*:*:*:*", "matchCriteriaId": "0EEE274C-40A3-4A32-A49F-FC048765D3E7", "versionEndExcluding": "4.7.1.1", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:avaya:callback_assist:4.7.1.1:-:*:*:*:*:*:*", "matchCriteriaId": "3E4CD687-13D3-4B9A-A381-0DCB330E70A8", "vulnerable": true}, {"criteria": "cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch1:*:*:*:*:*:*", "matchCriteriaId": "ADFF164B-33E9-4B08-8B49-23BE779D3A20", "vulnerable": true}, {"criteria": "cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch2:*:*:*:*:*:*", "matchCriteriaId": "4FFD00E2-1E17-4FD4-9920-5D9BCFB51C7A", "vulnerable": true}, {"criteria": "cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch3:*:*:*:*:*:*", "matchCriteriaId": "E0DEC261-79BD-4D94-AD45-B99E940A436D", "vulnerable": true}, {"criteria": "cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch4:*:*:*:*:*:*", "matchCriteriaId": "B43D5CB2-AE98-4999-8525-5AC3DC046939", "vulnerable": true}, {"criteria": "cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch5:*:*:*:*:*:*", "matchCriteriaId": "9C3F89D3-02E7-4FFB-89B8-91B84368597B", "vulnerable": true}, {"criteria": "cpe:2.3:a:avaya:callback_assist:4.7.1.1:patch6:*:*:*:*:*:*", "matchCriteriaId": "124184AA-27D4-4094-B419-A67678C42E13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An XML External Entities (XXE)vulnerability in Callback Assist could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Callback Assist includes all 4.0.x versions before 4.7.1.1 Patch 7."}, {"lang": "es", "value": "Una vulnerabilidad XML External Entities (XXE) en Callback Assist, podr\u00eda permitir a un atacante remoto autenticado conseguir acceso de lectura a la informaci\u00f3n que es almacenada en un sistema afectado. Las versiones afectadas de Callback Assist incluyen todas las versiones 4.0.x anteriores a 4.7.1.1 Patch 7"}], "id": "CVE-2020-7036", "lastModified": "2021-04-30T16:51:04.737", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "securityalerts@avaya.com", "type": "Secondary"}]}, "published": "2021-04-23T21:15:08.090", "references": [{"source": "securityalerts@avaya.com", "tags": ["Vendor Advisory"], "url": "https://downloads.avaya.com/css/P8/documents/101075450"}], "sourceIdentifier": "securityalerts@avaya.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-611"}], "source": "securityalerts@avaya.com", "type": "Secondary"}]}