CVE-2024-12756
Published: 11 February 2025
Summary
CVE-2024-12756 is a high-severity Improper Validation of Specified Type of Input (CWE-1287) vulnerability in Avaya Spaces. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-12756 is an HTML Injection vulnerability in Avaya Spaces that may allow disclosure of sensitive information or modification of the page content seen by the user. Published on 2025-02-11, it is linked to CWE-1287 (Improper Validation of Specified Index or Position) and CWE-79 (Cross-site Scripting). The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N), indicating high severity with network vector, high attack complexity, privileged access requirements, user interaction, changed scope, high confidentiality and integrity impacts, and no availability impact.
Exploitation requires an attacker with high privileges (PR:H) to have network access (AV:N), perform a high-complexity attack (AC:H), and induce user interaction (UI:R). A successful attack could enable the privileged attacker to disclose sensitive information or modify page content viewed by targeted users, leveraging the changed scope (S:C) for high confidentiality (C:H) and integrity (I:H) effects.
The Avaya advisory provides details on mitigation, available at https://support.avaya.com/css/public/documents/101091836.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51091
Vulnerability details
An HTML Injection vulnerability in Avaya Spaces may have allowed disclosure of sensitive information or modification of the page content seen by the user.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
HTML injection/XSS in a web application (Avaya Spaces) directly enables exploitation of public-facing apps (T1190) and can facilitate drive-by compromise by injecting malicious client-side content/scripts visible to users (T1189).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the root cause of CWE-1287 improper input validation that enables HTML injection in Avaya Spaces.
Prevents execution of injected HTML by filtering and encoding output, mitigating CWE-79 cross-site scripting effects.
Ensures timely identification and remediation of the specific HTML injection flaw in Avaya Spaces to prevent exploitation.