Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Avaya Aura AES - Authorisation Bypass
From: Context IS - Disclosure <disclosure () contextis co uk>
Date: Thu, 6 Jan 2011 10:11:53 +0000

Systems Affected:    Avaya Aura AES (Application Enablement Services) 4.x.x 
Severity:            Medium
Category:            Authorisation Bypass
Author:              Context Information Security Ltd
Reported to vendor:  9th September 2010
Advisory Issued:     6th January 2011
The Avaya AES application suffers from an authorisation bypass vulnerability 
that allows a low level user to execute administrative functions.  
A flaw in the authorisation function validating whether a user is permitted 
to execute a desired function, allows low level users to execute some 
administrative functions leading to an authorisation bypass and privilege 
escalation vulnerability. 
Technologies Affected
Avaya Aura™ Application Enablement Services (4.x.x)
Vendor Response
Disclosure Timeline
9th September 2010 – Vendor Disclosure
10th December 2010 – Vendor Releases Advisory
Ben Heinkel of Context Information Security Ltd
About Context Information Security
Context Information Security is an independent security consultancy specialising 
in both technical security and information assurance services The company was 
founded in 1998. Its client base has grown steadily over the years, thanks in large 
part to personal recommendations from existing clients who value us as business 
partners. We believe our success is based on the value our clients place on our 
product-agnostic, holistic approach; the way we work closely with them to develop 
a tailored service; and to the independence, integrity and technical skills of our 
The company’s client base now includes some of the most prestigious blue chip 
companies in the world, as well as government organisations.
The best security experts need to bring a broad portfolio of skills to the job, 
so Context has always sought to recruit staff with extensive business experience 
as well as technical expertise. Our aim is to provide effective and practical 
solutions, advice and support: when we report back to clients we always communicate 
our findings and recommendations in plain terms at a business level as well as in 
the form of an in-depth technical report.
Web:        www.contextis.co.uk
Email:      disclosure () contextis co uk
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Avaya Aura AES - Authorisation Bypass Context IS - Disclosure (Jan 06)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]