CVE-2024-12755

High

Published: 11 February 2025

Published

11 February 2025

Modified

29 July 2025

KEV Added

—

Patch

—

CVSS Score 7.9 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L

EPSS Score 0.0007 21.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

A Cross-Site Scripting (XSS) vulnerability in Avaya Spaces may have allowed unauthorized code execution and potential disclose of sensitive information.

Security Summary

CVE-2024-12755 is a Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Avaya Spaces. Published on 2025-02-11, it may allow unauthorized code execution and potential disclosure of sensitive information. The vulnerability has a CVSS v3.1 base score of 7.9 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L).

The attack requires network access with high complexity, low attacker privileges, and user interaction. A low-privileged user could exploit it to execute unauthorized code in the context of another user's browser, achieving high impacts on confidentiality and integrity, along with low availability impact due to the changed scope.

Mitigation details are provided in the Avaya advisory at https://support.avaya.com/css/public/documents/101091836.

Details

CWE(s): CWE-79

Affected Products

avaya

spaces

all versions

References

https://support.avaya.com/css/public/documents/101091836
Product · securityalerts@avaya.com