CVE-2024-12756

High

Published: 11 February 2025

Published

11 February 2025

Modified

01 October 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0005 15.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

An HTML Injection vulnerability in Avaya Spaces may have allowed disclosure of sensitive information or modification of the page content seen by the user.

Security Summary

CVE-2024-12756 is an HTML Injection vulnerability in Avaya Spaces that may allow disclosure of sensitive information or modification of the page content seen by the user. Published on 2025-02-11, it is linked to CWE-1287 (Improper Validation of Specified Index or Position) and CWE-79 (Cross-site Scripting). The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N), indicating high severity with network vector, high attack complexity, privileged access requirements, user interaction, changed scope, high confidentiality and integrity impacts, and no availability impact.

Exploitation requires an attacker with high privileges (PR:H) to have network access (AV:N), perform a high-complexity attack (AC:H), and induce user interaction (UI:R). A successful attack could enable the privileged attacker to disclose sensitive information or modify page content viewed by targeted users, leveraging the changed scope (S:C) for high confidentiality (C:H) and integrity (I:H) effects.

The Avaya advisory provides details on mitigation, available at https://support.avaya.com/css/public/documents/101091836.

Details

CWE(s): CWE-1287CWE-79

Affected Products

avaya

spaces

all versions

References

https://support.avaya.com/css/public/documents/101091836
Not Applicable · securityalerts@avaya.com