Avaya
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Avaya product.
RSS Feeds for Avaya security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Avaya products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Avaya Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 0 vulnerabilities in Avaya. Last year, in 2025 Avaya had 3 security vulnerabilities published. Right now, Avaya is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 3 | 7.50 |
| 2024 | 5 | 7.00 |
| 2023 | 5 | 6.90 |
| 2022 | 3 | 7.07 |
| 2021 | 13 | 7.21 |
| 2020 | 6 | 6.80 |
| 2019 | 7 | 6.96 |
| 2018 | 7 | 7.43 |
It may take a day or so for new Avaya vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Avaya Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2025-1041 | Jun 10, 2025 |
Avaya Call Mgt Sys remote cmd via web req (CVE-2025-1041) – 18.x, 19.x <19.2.0.7, 20.x <20.0.1.0An improper input validation discovered in Avaya Call Management System could allow an unauthorized remote command via a specially crafted web request. Affected versions include 18.x, 19.x prior to 19.2.0.7, and 20.x prior to 20.0.1.0. |
Call Management System
|
| CVE-2024-12755 | Feb 11, 2025 |
Avaya Spaces XSS vuln CVE-2024-12755A Cross-Site Scripting (XSS) vulnerability in Avaya Spaces may have allowed unauthorized code execution and potential disclose of sensitive information. |
Spaces
|
| CVE-2024-12756 | Feb 11, 2025 |
Avaya Spaces: HTML Injection Sensitive Info DisclosureAn HTML Injection vulnerability in Avaya Spaces may have allowed disclosure of sensitive information or modification of the page content seen by the user. |
Spaces
|
| CVE-2024-7477 | Aug 08, 2024 |
SQLi via CLI admin in Avaya Aura System Manager 10.xA SQL injection vulnerability was found which could allow a command line interface (CLI) user with administrative privileges to execute arbitrary queries against the Avaya Aura System Manager database. Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support. |
Aura System Manager
|
| CVE-2024-7480 | Aug 08, 2024 |
Avaya Aura System Manager 10.1-10.2 Improper Access via CLIAn Improper access control vulnerability was found in Avaya Aura System Manager which could allow a command-line interface (CLI) user with administrative privileges to read arbitrary files on the system. Affected versions include 10.1.x.x and 10.2.x.x. Versions prior to 10.1 are end of manufacturer support. |
Aura System Manager
|
| CVE-2024-4196 | Jun 25, 2024 |
Avaya IP Office <11.1.3.1 Web Control RCEAn improper input validation vulnerability was discovered in Avaya IP Office that could allow remote command or code execution via a specially crafted web request to the Web Control component. Affected versions include all versions prior to 11.1.3.1. |
Ip Office
|
| CVE-2024-4197 | Jun 25, 2024 |
Unrestricted File Upload in Avaya IP Office <11.1.3.1 (One-X)An unrestricted file upload vulnerability in Avaya IP Office was discovered that could allow remote command or code execution via the One-X component. Affected versions include all versions prior to 11.1.3.1. |
Ip Office
|
| CVE-2023-7031 | Jan 17, 2024 |
Avaya Aura Experience Portal Manager IDOR pre-8.1.2Insecure Direct Object Reference vulnerabilities were discovered in the Avaya Aura Experience Portal Manager which may allow partial information disclosure to an authenticated non-privileged user. Affected versions include 8.0.x and 8.1.x, prior to 8.1.2 patch 0402. Versions prior to 8.0 are end of manufacturer support. |
Aura Experience Portal
|
| CVE-2023-3722 | Jul 19, 2023 |
Avaya Aura Device Services <=8.1.4 OS Command Injection via Uploaded FileAn OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server user via a malicious uploaded file. This issue affects Avaya Aura Device Services version 8.1.4.0 and earlier. |
Aura Device Services
|
| CVE-2023-3527 | Jul 18, 2023 |
Avaya CMS CSV Injection Allows Admin Arbitrary Command ExecutionA CSV injection vulnerability was found in the Avaya Call Management System (CMS) Supervisor web application which allows a user with administrative privileges to input crafted data which, when exported to a CSV file, may attempt arbitrary command execution on the system used to open the file by a spreadsheet software such as Microsoft Excel. |
Call Management System
|
| CVE-2023-31187 | May 30, 2023 |
Avaya IX Workforce Engg v15.2.7.1195: IPC in Credentials StorageAvaya IX Workforce Engagement v15.2.7.1195 - CWE-522: Insufficiently Protected Credentials |
Ix Workforce Engagement
|
| CVE-2023-32218 | May 30, 2023 |
Avaya IX Workforce Eng. v15.2.7.1195 Open Redirect (CWE-601)Avaya IX Workforce Engagement v15.2.7.1195 - CWE-601: URL Redirection to Untrusted Site ('Open Redirect') |
Ix Workforce Engagement
|
| CVE-2023-31186 | May 30, 2023 |
Avaya IX Workforce Eng. 15.2.7.1195 - User Enumeration via Response DiscrepancyAvaya IX Workforce Engagement v15.2.7.1195 - User Enumeration - Observable Response Discrepancy |
Ix Workforce Engagement
|
| CVE-2022-2249 | Oct 12, 2022 |
Avaya Aura CommMgr Privilege Escalation (v8.0-8.1.3.3, 10.1.0.0)Privilege escalation related vulnerabilities were discovered in Avaya Aura Communication Manager that may allow local administrative users to escalate their privileges. This issue affects Communication Manager versions 8.0.0.0 through 8.1.3.3 and 10.1.0.0. |
Aura Communication Manager
|
| CVE-2022-2975 | Oct 06, 2022 |
Avaya Aura App Enablement Services 8.x-10.x Weak Permissions Root Code ExecA vulnerability related to weak permissions was detected in Avaya Aura Application Enablement Services web application, allowing an administrative user to modify accounts leading to execution of arbitrary code as the root user. This issue affects Application Enablement Services versions 8.0.0.0 through 8.1.3.4 and 10.1.0.0 through 10.1.0.1. Versions prior to 8.0.0.0 are end of manufacturing support and were not evaluated. |
Aura Application Enablement Services
|
| CVE-2021-25657 | Sep 02, 2022 |
Privilege Escalation in Avaya IP Office Admin Lite USB Creator <11.1 SP1A privilege escalation vulnerability was discovered in Avaya IP Office Admin Lite and USB Creator that may potentially allow a local user to escalate privileges. This issue affects Admin Lite and USB Creator 11.1 Feature Pack 2 Service Pack 1 and earlier versions. |
Ip Office
|
| CVE-2021-25654 | Jun 25, 2021 |
An arbitrary code execution vulnerability was discovered in Avaya Aura Device ServicesAn arbitrary code execution vulnerability was discovered in Avaya Aura Device Services that may potentially allow a local user to execute specially crafted scripts. Affects 7.0 through 8.1.4.0 versions of Avaya Aura Device Services. |
Aura Device Services
|
| CVE-2021-25656 | Jun 24, 2021 |
Stored XSS injection vulnerabilities were discovered in the Avaya Aura Experience Portal Web management which couldStored XSS injection vulnerabilities were discovered in the Avaya Aura Experience Portal Web management which could allow an authenticated user to potentially disclose sensitive information. Affected versions include 7.0 through 7.2.3 (without hotfix) and 8.0.0 (without hotfix). |
Aura Experience Portal
|
| CVE-2021-25655 | Jun 24, 2021 |
A vulnerability in the system Service Menu component of Avaya Aura Experience Portal mayA vulnerability in the system Service Menu component of Avaya Aura Experience Portal may allow URL Redirection to any untrusted site through a crafted attack. Affected versions include 7.0 through 7.2.3 (without hotfix) and 8.0.0 (without hotfix). |
Aura Experience Portal
|
| CVE-2021-25652 | Jun 24, 2021 |
An information disclosure vulnerability was discovered in the directory and file management of Avaya Aura Appliance Virtualization Platform Utilities (AVPU)An information disclosure vulnerability was discovered in the directory and file management of Avaya Aura Appliance Virtualization Platform Utilities (AVPU). This vulnerability may potentially allow any local user to access system functionality and configuration information that should only be available to a privileged user. Affects versions 8.0.0.0 through 8.1.3.1 of AVPU. |
Aura Appliance Virtualization Platform
|
| CVE-2021-25653 | Jun 24, 2021 |
A privilege escalation vulnerability was discovered in Avaya Aura Appliance Virtualization Platform Utilities (AVPU)A privilege escalation vulnerability was discovered in Avaya Aura Appliance Virtualization Platform Utilities (AVPU) that may potentially allow a local user to escalate privileges. Affects 8.0.0.0 through 8.1.3.1 versions of AVPU. |
Aura Appliance Virtualization Platform
|
| CVE-2021-25649 | Jun 24, 2021 |
An information disclosure vulnerability was discovered in the directory and file management of Avaya Aura Utility ServicesAn information disclosure vulnerability was discovered in the directory and file management of Avaya Aura Utility Services. This vulnerability may potentially allow any local user to access system functionality and configuration information that should only be available to a privileged user. Affects all 7.x versions of Avaya Aura Utility Services |
Aura Utility Services
|
| CVE-2021-25650 | Jun 24, 2021 |
A privilege escalation vulnerability was discovered in Avaya Aura Utility ServicesA privilege escalation vulnerability was discovered in Avaya Aura Utility Services that may potentially allow a local user to execute specially crafted scripts as a privileged user. Affects all 7.x versions of Avaya Aura Utility Services |
Aura Utility Services
|
| CVE-2021-25651 | Jun 24, 2021 |
A privilege escalation vulnerability was discovered in Avaya Aura Utility ServicesA privilege escalation vulnerability was discovered in Avaya Aura Utility Services that may potentially allow a local user to escalate privileges. Affects all 7.x versions of Avaya Aura Utility Services |
Aura Utility Services
|
| CVE-2020-7037 | Apr 28, 2021 |
An XML External Entities (XXE) vulnerability in Media Server component of Avaya Equinox Conferencing could allow an authenticated, remote attacker to gain read access to informationAn XML External Entities (XXE) vulnerability in Media Server component of Avaya Equinox Conferencing could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system or even potentially lead to a denial of service. The affected versions of Avaya Equinox Conferencing includes all 9.x versions before 9.1.11. Equinox Conferencing is now offered as Avaya Meetings Server. |
Equinox Conferencing
|
| CVE-2020-7038 | Apr 28, 2021 |
A vulnerability was discovered in Management component of Avaya Equinox ConferencingA vulnerability was discovered in Management component of Avaya Equinox Conferencing that could potentially allow an unauthenticated, remote attacker to gain access to screen sharing and whiteboard sessions. The affected versions of Management component of Avaya Equinox Conferencing include all 3.x versions before 3.17. Avaya Equinox Conferencing is now offered as Avaya Meetings Server. |
Equinox Conferencing
|
| CVE-2020-7034 | Apr 23, 2021 |
A command injection vulnerability in Avaya Session Border Controller for Enterprise couldA command injection vulnerability in Avaya Session Border Controller for Enterprise could allow an authenticated, remote attacker to send specially crafted messages and execute arbitrary commands with the affected system privileges. Affected versions of Avaya Session Border Controller for Enterprise include 7.x, 8.0 through 8.1.1.x |
Session Border Controller Enterprise
|
| CVE-2020-7035 | Apr 23, 2021 |
An XML External Entities (XXE)vulnerability in the web-based user interface of Avaya Aura Orchestration Designer could allow an authenticated, remote attacker to gain read access to informationAn XML External Entities (XXE)vulnerability in the web-based user interface of Avaya Aura Orchestration Designer could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Orchestration Designer includes all 7.x versions before 7.2.3. |
Aura Orchestration Designer
|
| CVE-2020-7036 | Apr 23, 2021 |
An XML External Entities (XXE)vulnerability in Callback Assist could allow an authenticated, remote attacker to gain read access to informationAn XML External Entities (XXE)vulnerability in Callback Assist could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The affected versions of Callback Assist includes all 4.0.x versions before 4.7.1.1 Patch 7. |
Callback Assist
|
| CVE-2020-7032 | Nov 13, 2020 |
An XML external entity (XXE) vulnerability in Avaya WebLM admin interfaceAn XML external entity (XXE) vulnerability in Avaya WebLM admin interface allows authenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request. Affected versions of Avaya WebLM include: 7.0 through 7.1.3.6 and 8.0 through 8.1.2. |
Aura System Manager
Weblm
|
| CVE-2020-7033 | Nov 13, 2020 |
A Cross Site Scripting (XSS) Vulnerability on the Unified Portal Client (web client) used in Avaya Equinox Conferencing canA Cross Site Scripting (XSS) Vulnerability on the Unified Portal Client (web client) used in Avaya Equinox Conferencing can allow an authenticated user to perform XSS attacks. The affected versions of Equinox Conferencing includes all 9.x versions before 9.1.10. |
Equinox Conferencing
|
| CVE-2020-7029 | Aug 11, 2020 |
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura MessagingA Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged level of the authenticated user. Affected versions of Communication Manager are 7.0.x, 7.1.x prior to 7.1.3.5 and 8.0.x. Affected versions of Messaging are 7.0.x, 7.1 and 7.1 SP1. |
Aura Communication Manager
|
| CVE-2019-7005 | Aug 07, 2020 |
A vulnerability was discovered in the web interface component of IP OfficeA vulnerability was discovered in the web interface component of IP Office that may potentially allow a remote, unauthenticated user with network access to gain sensitive information. Affected versions of IP Office include: 9.x, 10.0 through 10.1.0.7 and 11.0 through 11.0.4.2. |
Ip Office
|
| CVE-2020-7030 | Jun 04, 2020 |
A sensitive information disclosure vulnerability was discovered in the web interface component of IP OfficeA sensitive information disclosure vulnerability was discovered in the web interface component of IP Office that may potentially allow a local user to gain unauthorized access to the component. Affected versions of IP Office include: 9.x, 10.0 through 10.1.0.7 and 11.0 though 11.0.4.3. |
Ip Office
|
| CVE-2019-7007 | Feb 28, 2020 |
A directory traversal vulnerability has been found in the Avaya Equinox Management(iView)versions R9.1.9.0 and earlierA directory traversal vulnerability has been found in the Avaya Equinox Management(iView)versions R9.1.9.0 and earlier. Successful exploitation could potentially allow an unauthenticated attacker to access files that are outside the restricted directory on the remote server. |
Aura Conferencing
|
| CVE-2019-7004 | Dec 12, 2019 |
A Cross-Site Scripting (XSS) vulnerability in the WebUI component of IP Office Application Server couldA Cross-Site Scripting (XSS) vulnerability in the WebUI component of IP Office Application Server could allow unauthorized code execution and potentially disclose sensitive information. All product versions 11.x are affected. Product versions prior to 11.0, including unsupported versions, were not evaluated. |
Ip Office Application Server
|
| CVE-2019-7000 | Jul 31, 2019 |
A Cross-Site Scripting (XSS) vulnerability in the Web UI of Avaya Aura Conferencing mayA Cross-Site Scripting (XSS) vulnerability in the Web UI of Avaya Aura Conferencing may allow code execution and potentially disclose sensitive information. Affected versions of Avaya Aura Conferencing include all 8.x versions prior to 8.0 SP14 (8.0.14). Prior versions not listed were not evaluated. |
Aura Conferencing
|
| CVE-2019-7003 | Jul 11, 2019 |
A SQL injection vulnerability in the reporting component of Avaya Control Manager couldA SQL injection vulnerability in the reporting component of Avaya Control Manager could allow an unauthenticated attacker to execute arbitrary SQL commands and retrieve sensitive data related to other users on the system. Affected versions of Avaya Control Manager include 7.x and 8.0.x versions prior to 8.0.4.0. Unsupported versions not listed here were not evaluated. |
Control Manager
|
| CVE-2019-7001 | Apr 04, 2019 |
A SQL injection vulnerability in the WebUI component of IP Office Contact Center couldA SQL injection vulnerability in the WebUI component of IP Office Contact Center could allow an authenticated attacker to retrieve or alter sensitive data related to other users on the system. Affected versions of IP Office Contact Center include all 9.x and 10.x versions prior to 10.1.2.2.2-11201.1908. Unsupported versions not listed here were not evaluated. |
Ip Office Contact Center
|
| CVE-2019-7006 | Feb 27, 2019 |
Avaya one-X Communicator uses weak cryptographic algorithms in the client authentication componentAvaya one-X Communicator uses weak cryptographic algorithms in the client authentication component that could allow a local attacker to decrypt sensitive information. Affected versions include all 6.2.x versions prior to 6.2 SP13. |
One X Communicator
|
| CVE-2018-15617 | Feb 01, 2019 |
A vulnerability in the "capro" (Call Processor) process component of Avaya Aura Communication Manager couldA vulnerability in the "capro" (Call Processor) process component of Avaya Aura Communication Manager could allow a remote, unauthenticated user to cause denial of service. Affected versions include 6.3.x, all 7.x versions prior to 7.1.3.2, and all 8.x versions prior to 8.0.1. |
Aura Communication Manager
|
| CVE-2018-15614 | Jan 23, 2019 |
A vulnerability in the one-x Portal component of IP Office could allow an authenticated user to perform stored cross site scripting attacks via fields in the Conference Scheduler ServiceA vulnerability in the one-x Portal component of IP Office could allow an authenticated user to perform stored cross site scripting attacks via fields in the Conference Scheduler Service that could affect other application users. Affected versions of IP Office include 10.0 through 10.1 SP3 and 11.0 versions prior to 11.0 SP1. |
Ip Office
|
| CVE-2018-15616 | Oct 17, 2018 |
A vulnerability in the Web UI component of Avaya Aura System Platform could allow a remote, unauthenticated user to perform a targeted deserialization attackA vulnerability in the Web UI component of Avaya Aura System Platform could allow a remote, unauthenticated user to perform a targeted deserialization attack that could result in remote code execution. Affected versions of System Platform includes 6.3.0 through 6.3.9 and 6.4.0 through 6.4.2. |
Avaya Aura System Platform
|
| CVE-2018-15611 | Sep 27, 2018 |
A vulnerability in the local system administration component of Avaya Aura Communication Manager canA vulnerability in the local system administration component of Avaya Aura Communication Manager can allow an authenticated, privileged user on the local system to gain root privileges. Affected versions include 6.3.x and all 7.x version prior to 7.1.3.1. |
Aura Communication Manager
|
| CVE-2018-15615 | Sep 24, 2018 |
A vulnerability in the Supervisor component of Avaya Call Management SystemA vulnerability in the Supervisor component of Avaya Call Management System allows local administrative user to extract sensitive information from users connecting to a remote CMS host. Affected versions of CMS Supervisor include R17.0.x and R18.0.x. |
Call Management System Supervisor
|
| CVE-2018-15612 | Sep 21, 2018 |
A CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer couldA CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could allow an attacker to add, change, or remove administrative settings. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1. |
Orchestration Designer
|
| CVE-2018-15613 | Sep 21, 2018 |
A cross-site scripting (XSS) vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could result in malicious content being returned to the userA cross-site scripting (XSS) vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could result in malicious content being returned to the user. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2.1. |
Aura Orchestration Designer
|
| CVE-2018-15610 | Sep 12, 2018 |
A vulnerability in the one-X Portal component of Avaya IP OfficeA vulnerability in the one-X Portal component of Avaya IP Office allows an authenticated attacker to read and delete arbitrary files on the system. Affected versions of Avaya IP Office include 9.1 through 9.1 SP12, 10.0 through 10.0 SP7, and 10.1 through 10.1 SP2. |
Ip Office
|
| CVE-2018-6635 | Feb 05, 2018 |
System Manager in Avaya Aura before 7.1.2 does not properly use SSL in conjunction with authentication, whichSystem Manager in Avaya Aura before 7.1.2 does not properly use SSL in conjunction with authentication, which allows remote attackers to bypass intended Remote Method Invocation (RMI) restrictions, aka SMGR-26896. |
Aura
|
| CVE-2011-1229 | Apr 13, 2011 |
win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted applicationwin32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that triggers a NULL pointer dereference, a different vulnerability than other "Vulnerability Type 2" CVEs listed in MS11-034, aka "Win32k Null Pointer De-reference Vulnerability." |
Agent Access
Aura Conferencing Standard Edition
Basic Call Management System Reporting Desktop
And others... |