CVE-2020-7030

MEDIUM

Avaya IP Office 9.x, 10.0-10.1.0.7, 11.0-11.0.4.3 - Insufficiently Protected Credentials

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-7030. PoCs published by hyp3rlinx.

AI-analyzed exploit summary This is a vulnerability writeup for CVE-2020-7030, detailing an insecure transit password disclosure in Avaya IP Office. The issue involves Base64-encoded credentials being passed in URL query strings, which can be leaked through browser history, logs, or proxy caches.

Description

A sensitive information disclosure vulnerability was discovered in the web interface component of IP Office that may potentially allow a local user to gain unauthorized access to the component. Affected versions of IP Office include: 9.x, 10.0 through 10.1.0.7 and 11.0 though 11.0.4.3.

Exploits (1)

exploitdb WRITEUP
by hyp3rlinx · textwebappsmultiple
https://www.exploit-db.com/exploits/48581

This is a vulnerability writeup for CVE-2020-7030, detailing an insecure transit password disclosure in Avaya IP Office. The issue involves Base64-encoded credentials being passed in URL query strings, which can be leaked through browser history, logs, or proxy caches.

Classification
Writeup 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Avaya IP Office v9.1.8.0 - 11
No auth needed
Prerequisites: Access to a system where the Avaya IP Office web interface was previously accessed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Vendor Advisory x_refsource_confirm
https://downloads.avaya.com/css/P8/documents/101067493
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/Jun/12

Scores

CVSS v3 5.5
EPSS 0.0100
EPSS Percentile 58.2%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200 CWE-522
Status published
Products (3)
avaya/ip_office 9.0 (13 CPE variants)
avaya/ip_office 9.1 (12 CPE variants)
avaya/ip_office 10.0 - 10.1.0.7
Published Jun 04, 2020
Tracked Since Feb 18, 2026