CVE-2019-7004

MEDIUM

Avaya IP Office Application Server 11.0-11.0.4.0 - Cross-Site Scripting in WebUI

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-7004. PoCs published by Scott Goodwin.

AI-analyzed exploit summary This exploit demonstrates a reflective XSS vulnerability in Avaya IP Office Application Server 11.0.0.0 and earlier. The PoC provides a crafted username input that, when submitted via a POST request, executes arbitrary JavaScript in the context of the browser.

Description

A Cross-Site Scripting (XSS) vulnerability in the WebUI component of IP Office Application Server could allow unauthorized code execution and potentially disclose sensitive information. All product versions 11.x are affected. Product versions prior to 11.0, including unsupported versions, were not evaluated.

Exploits (1)

exploitdb WORKING POC
by Scott Goodwin · textwebappshardware
https://www.exploit-db.com/exploits/48105

This exploit demonstrates a reflective XSS vulnerability in Avaya IP Office Application Server 11.0.0.0 and earlier. The PoC provides a crafted username input that, when submitted via a POST request, executes arbitrary JavaScript in the context of the browser.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Avaya IP Office Application Server 11.0.0.0 and before
No auth needed
Prerequisites: Access to the login page of the vulnerable Avaya IP Office Application Server
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Vendor Advisory x_refsource_confirm
https://support.avaya.com/css/P8/documents/101062833

Scores

CVSS v3 5.4
EPSS 0.0218
EPSS Percentile 80.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
avaya/ip_office_application_server 11.0 - 11.0.4.0
Published Dec 12, 2019
Tracked Since Feb 18, 2026