CVE-2012-3811 - Vulnerability Details - OpenCVE

Unrestricted file upload vulnerability in ImageUpload.ashx in the Wallboard application in Avaya IP Office Customer Call Reporter 7.0 before 7.0.5.8 Q1 2012 Maintenance Release and 8.0 before 8.0.9.13 Q1 2012 Maintenance Release allows remote attackers to execute arbitrary code by uploading an executable file and then accessing it via a direct request.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Avaya	Ip Office Customer Call Reporter

Configuration 1 [-]

OR	cpe:2.3:a:avaya:ip_office_customer_call_reporter:7.0:::::::*
	cpe:2.3:a:avaya:ip_office_customer_call_reporter:8.0:::::::*

No data.

References

Link	Providers
http://zerodayinitiative.com/advisories/ZDI-12-106/
https://downloads.avaya.com/css/P8/documents/100164021

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2012-07-03T19:00:00Z

Updated: 2024-09-16T17:33:28.487Z

Reserved: 2012-06-27T00:00:00Z

Link: CVE-2012-3811

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2012-07-03T19:55:04.663

Modified: 2025-04-11T00:51:21.963

Link: CVE-2012-3811

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Unrestricted file upload vulnerability in ImageUpload.ashx in the Wallboard application in Avaya IP Office Customer Call Reporter 7.0 before 7.0.5.8 Q1 2012 Maintenance Release and 8.0 before 8.0.9.13 Q1 2012 Maintenance Release allows remote attackers to execute arbitrary code by uploading an executable file and then accessing it via a direct request."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2012-07-03T19:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://zerodayinitiative.com/advisories/ZDI-12-106/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://downloads.avaya.com/css/P8/documents/100164021"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2012-3811", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Unrestricted file upload vulnerability in ImageUpload.ashx in the Wallboard application in Avaya IP Office Customer Call Reporter 7.0 before 7.0.5.8 Q1 2012 Maintenance Release and 8.0 before 8.0.9.13 Q1 2012 Maintenance Release allows remote attackers to execute arbitrary code by uploading an executable file and then accessing it via a direct request."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://zerodayinitiative.com/advisories/ZDI-12-106/", "refsource": "MISC", "url": "http://zerodayinitiative.com/advisories/ZDI-12-106/"}, {"name": "https://downloads.avaya.com/css/P8/documents/100164021", "refsource": "CONFIRM", "url": "https://downloads.avaya.com/css/P8/documents/100164021"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T20:21:04.056Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://zerodayinitiative.com/advisories/ZDI-12-106/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://downloads.avaya.com/css/P8/documents/100164021"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2012-3811", "datePublished": "2012-07-03T19:00:00Z", "dateReserved": "2012-06-27T00:00:00Z", "dateUpdated": "2024-09-16T17:33:28.487Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:avaya:ip_office_customer_call_reporter:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "1D595B22-63D4-4285-AD5C-7A3F8F22457B", "vulnerable": true}, {"criteria": "cpe:2.3:a:avaya:ip_office_customer_call_reporter:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "FF2A34F3-AF83-4217-9D0C-5883CD5486A8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unrestricted file upload vulnerability in ImageUpload.ashx in the Wallboard application in Avaya IP Office Customer Call Reporter 7.0 before 7.0.5.8 Q1 2012 Maintenance Release and 8.0 before 8.0.9.13 Q1 2012 Maintenance Release allows remote attackers to execute arbitrary code by uploading an executable file and then accessing it via a direct request."}, {"lang": "es", "value": "Vulnerabilidad de subida de fichero no restringido en ImageUpload.ashx en la aplicaci\u00f3n Wallboard en Avaya IP Office Customer Call Reporter v7.0 anteriores a v7.0.5.8 Q1 2012 Maintenance Release y v8.0 anteriores a v8.0.9.13 Q1 2012 Maintenance Release, permite a atacantes remotos ejecutar c\u00f3digo subiendo un fichero ejecutable y accediendo a \u00e9l a trav\u00e9s de una petici\u00f3n directa."}], "evaluatorComment": "Per: http://cwe.mitre.org/data/definitions/434.html\r\n\r\n'CWE-434: Unrestricted Upload of File with Dangerous Type'", "id": "CVE-2012-3811", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2012-07-03T19:55:04.663", "references": [{"source": "cve@mitre.org", "url": "http://zerodayinitiative.com/advisories/ZDI-12-106/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://downloads.avaya.com/css/P8/documents/100164021"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://zerodayinitiative.com/advisories/ZDI-12-106/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://downloads.avaya.com/css/P8/documents/100164021"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}