Avaya Radvision SCOPIA Desktop SQL Injection Vulnerability

Avaya Radvision SCOPIA Desktop is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Avaya Radvision SCOPIA Desktop version 7.7.000.042 and 8.2.101.046 are vulnerable.

Information

Bugtraq ID: 97374
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Apr 04 2017 12:00AM
Credit: Patrick Webster
Vulnerable: Avaya Radvision Scopia Desktop 8.2.101.046
Avaya Radvision Scopia Desktop 7.7.000.042

Not Vulnerable:

Exploit

The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.

References:

• Avaya Homepage (Avaya Inc.)
  
• Avaya Radvision SCOPIA Desktop dlg_loginownerid.jsp ownerid SQL Injection (OSISecurity)
  

Source: www.securityfocus.com