Mitel Product Security Advisory 22-0006

Mitel MiCollab Multiple Security Vulnerabilities

Advisory ID: 22-0006

Publish Date: 2022-07-27

Last Updated: 2022-08-29

Revision: 3.0

Summary

The following vulnerabilities were privately reported to Mitel.

A vulnerability has been identified in the web conferencing component of MiCollab which could allow upload of malicious files. A successful exploit could allow an attacker to execute arbitrary code within the context of the application.

A vulnerability has been identified in the MiCollab Client server component of MiCollab which could allow a Server-Side Request Forgery attack. A successful exploit could allow an attacker to leverage connections and permissions available to the host server.

Credit is given to Shaquin Trifonoff of Lateral Security for highlighting these two issues and bringing to our attention.

A vulnerability has been identified in the MiCollab Client API component of MiCollab which could allow an authenticated attacker to control another extension number or allow an authenticated attacker to impersonate another user's name.

Mitel is recommending customers with affected product versions apply the available remediation.

Affected Products

Product Name

Product Version

Security Bulletin

Last Updated

MiCollab

9.5.0.101 and earlier

22-0006-001
22-0006-002
22-0006-003

2022-08-29
2022-08-08
2022-08-08

Note: MiVoice Business Express included earlier versions of MiCollab and is also affected.

Risk Assessment

The risks for these vulnerabilities are rated from Medium to Critical. Refer to the product Security Bulletin for additional statements regarding risk.

Mitigation / Recommended Action

Mitel has issued a new release of MiCollab, and mitigations for earlier releases. Customers are advised to update to the latest version.

Customers are advised to review the product Security Bulletins. For additional information, contact Mitel Product Support.

Related CVEs / CWEs / Advisories

CVE-2022-36451 CVE-2022-36452 CVE-2022-36453 CVE-2022-36454

Revision History

Version	Date	Description
1.0	2022-07-27	Initial Version
2.0	2022-08-08	Updated assessment and bulletins
3.0	2022-08-29	Updated bulletins

First Name

Last Name

Email Address

Relationship to Mitel

By providing the above information, you agree that we may process your personal data in accordance with our Privacy Policy.

Do you agree to the terms and conditions of using our services?

Search

Select your Region/Country/Language

Americas

Europe

Oceania