CVE-2023-3722

HIGH EXPLOITED NUCLEI

Avaya Aura Device Services < 8.1.4.0 - Unrestricted File Upload

Title source: rule

Description

An OS command injection vulnerability was found in the Avaya Aura Device Services Web application which could allow remote code execution as the Web server user via a malicious uploaded file. This issue affects Avaya Aura Device Services version 8.1.4.0 and earlier.

Exploits (1)

nomisec WORKING POC 2 stars

by pizza-power · remote

https://github.com/pizza-power/CVE-2023-3722

View Code ZIP pw:eip

Nuclei Templates (1)

Avaya Aura Device Services - OS Command Injection

HIGHVERIFIEDby iamnoooob,pdresearch

Shodan: html:"Avaya Aura® Utility Services"

FOFA: body="Avaya Aura® Utility Services"

References (1)

[Release Notes] https://download.avaya.com/css/public/documents/101076366

Scores

CVSS v3 8.6

EPSS 0.5087

EPSS Percentile 97.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Exploitation Intel

VulnCheck KEV 2023-08-17

Classification

CWE

CWE-434

Status published

Affected Products (1)

avaya/aura_device_services < 8.1.4.0

Timeline

Published Jul 19, 2023

Tracked Since Feb 18, 2026