Mitel Product Security Advisory 16-0005

XSS vulnerability in MiCC 7.x

Advisory ID: 16-0005
Publish Date: 2016-03-07
Revision: 1.0

Summary

A moderate-risk vulnerability has been identified in MiCC versions 7.x.  These versions are vulnerable to a XSS (cross-site scripting) attack, whereby successful exploitation would result in partial compromise of integrity and limited session data.

Detailed Description

OWASP defines a Cross-site Scripting (XSS) attack as follows:

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.

Affected Products

Product Name

Product Versions

Security Bulletin

Last Updated

MiCC

7.x

16-0005-001

2016-03-07

Risk Assessment

This vulnerability presents moderate risk.  Refer to product Security Bulletins for additional information.

Mitigation / Recommended Action

It is recommended that customers review the aforementioned security bulletin for further details, and update to a newer version of MiCC which doesn’t contain these vulnerabilities.  

External References

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Related CVEs / Advisories

n/a