Mitel Product Security Advisory 16-0015

Unrestricted File Upload in MiCollab AWV

Advisory ID: 16-0015
Publish Date: 2016-11-04
Revision: 1.0

Summary

The document upload feature in conferences does not validate or restrict the files that a valid user can upload.

Detailed Description

AWV provides a conference leader with an option of uploading documents to the server prior to or during a conference. This particular feature is vulnerable to attack where a malicious user could upload an executable script, which could then be used to gain access to other system files

Affected Products

The following products were identified as affected:

Product Name Product Versions Security Bulletin Last Updated
MiCollab AWV AWV 6.x
AWV 5.x
16-0015-001 2016-11-04

Risk Assessment

This vulnerability has been assessed as having a CVSS v2 Base Score of 6.0, with a moderate level of risk. Refer to the Security Bulletin above for additional information.

Mitigation / Recommended Action

Administrators of affected product versions should ensure that only trusted users are granted permissions to upload files to MiCollab conferences.

External References
https://cwe.mitre.org/data/definitions/434.html

Related CVEs / CWEs / Advisories

CWE-434