CVE-2024-12756 – An HTML injection vulnerability in Avaya Spaces... (How to Fix)

📋 TL;DR

An HTML injection vulnerability in Avaya Spaces allows attackers to inject malicious HTML content into web pages, potentially leading to information disclosure or page content manipulation. This affects users of Avaya Spaces collaboration platform who view compromised content.

💻 Affected Systems

Products:

Avaya Spaces

Versions: Specific versions not specified in advisory; all versions before patch are likely affected

Operating Systems: All platforms running Avaya Spaces

Default Config Vulnerable: ⚠️ Yes

Notes: Web-based collaboration platform; vulnerability exists in web interface components

📦 What is this software?

Spaces by Avaya

View all CVEs affecting Spaces →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could inject malicious scripts to steal session cookies, credentials, or sensitive user data, potentially leading to account takeover and data breaches.

🟠

Likely Case

Attackers modify page content to display misleading information, phishing forms, or deface pages, potentially tricking users into revealing information.

🟢

If Mitigated

With proper input validation and output encoding, injected HTML would be rendered as plain text rather than executable code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to inject HTML into vulnerable fields; may require some user interaction

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in advisory; refer to vendor documentation

Vendor Advisory: https://support.avaya.com/css/public/documents/101091836

Restart Required: No

Instructions:

1. Review Avaya advisory 101091836
2. Apply latest Avaya Spaces updates
3. Verify patch installation
4. Test functionality

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement strict input validation and output encoding for all user-controllable fields

🧯 If You Can't Patch

Implement WAF rules to detect and block HTML injection patterns
Restrict user permissions to minimize injection opportunities

🔍 How to Verify

Check if Vulnerable:

Test user-controllable fields for HTML injection by attempting to inject basic HTML tags and observing if they render

Check Version:

Check Avaya Spaces version in admin console or via vendor documentation

Verify Fix Applied:

Retest injection attempts after patching; HTML should be displayed as plain text, not rendered

📡 Detection & Monitoring

Log Indicators:

Unusual HTML/script patterns in user input fields
Multiple failed injection attempts

Network Indicators:

HTTP requests containing suspicious HTML/script payloads

SIEM Query:

source="avaya_spaces" AND (http_request:*<script* OR http_request:*javascript:* OR http_request:*onclick=*)

📊 Metadata

CVE ID: CVE-2024-12756

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-1287

EPSS Score: 0.07% exploit probability (22.2th percentile)

Published: February 11, 2025

Last Updated: October 1, 2025

🔗 References

https://support.avaya.com/css/public/documents/101091836 Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12756, you might also want to check these: