Mitel Product Security Advisory 16-0001

SQL Injection Vulnerability in MiCollab

Advisory ID: 16-0001
Publish Date: 2016-02-01
Revision: v1.0

Summary

A SQL injection vulnerability has been identified in MiCollab 7.0 which, if successfully exploited, could allow an attacker to access sensitive information in the MiCollab database.

Detailed Description

As defined by the Open Web Application Security Project (OWASP):

A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

Review the link provided in the External References section for more information.

Affected Products

The following products have been identified as affected:

Product Name Product Versions Security Bulletin Last Updated
MiCollab v7.0 16-0001-001 2016-02-01

Risk Assessment

This risk of this vulnerability is rated as high. Refer to the product Security Bulletin for additional statements regarding risk.

Mitigation / Recommended Action

Customers are advised to review the product Security Bulletin, and to contact support, to determine applicability and obtain instructions on how to obtain and apply a patch.

External References

https://www.owasp.org/index.php/SQL_Injection

Related CVEs

None