Mitel Product Security Advisory 20-0015

Mitel MiCollab Multiple Security Vulnerabilities

Advisory ID: 20-0015

Publish Date: 2020-11-12

Last Updated: 2020-11-02

Revision: 1.0

Summary

Following multiple vulnerabilities were privately reported:

Multiple vulnerabilities have been addressed in Mitel MiCollab:

A Cross-site scripting vulnerability in the AWV component of Mitel MiCollab could allow an attacker to view system information by sending arbitrary codes, due to improper input validation. A successful exploit could allow an attacker to view system information.

Credit is given to Youssef A. Mohamed (GeneralEG) from Buguard Labs, for highlighting this issue and bringing this to our attention.

The AWV component of Mitel MiCollab could allow an attacker to gain access to a web conference due to insufficient access controls for conference codes. A successful exploit could allow an attacker to gain access to an unsecured conference. As an additional security measure, Mitel recommends to secure conferences by setting up conference passwords.

Credit is given to Vladimir Toutain of Certilience, for highlighting this issue and bringing this to our attention.

Following multiple vulnerabilities were privately reported:

The NuPoint Messenger of Mitel MiCollab could allow an attacker with escalated privileges to access user files due to insufficient access control. A successful exploit could potentially allow an attacker to gain access to sensitive information.

A Cross-site scripting vulnerability in the AWV portal of Mitel MiCollab could allow an attacker to gain access to conference information by sending arbitrary codes due to improper input validation. A successful exploit could allow an attacker to view user conference information.

The online help portal of Mitel MiCollab could allow an attacker to redirect a user to an unauthorized website by executing malicious scripts due to insufficient access control. A successful exploit could allow an attacker to do an unauthorized URL redirection to a potentially malicious website.

A Cross-site scripting vulnerability in the NuPoint Messenger Portal of Mitel MiCollab could allow an authenticated attacker to execute arbitrary scripts due to insufficient input validation. A successful exploit could allow an attacker to view and modify user data.

An SQL Injection vulnerability in the SAS portal of Mitel MiCollab could allow an attacker to access user credentials due to improper input validation. A successful exploit could allow an attacker to gain unauthorized access to sensitive information.

Mitel is recommending customers with affected product versions to update to the latest release.

Affected Products

Product Name

Product Version

Security Bulletin

Last Updated

MiCollab

MiCollab 9.1.3 and earlier

2020-11-12

Risk Assessment

The risk for this vulnerability is rated from Medium to High. Refer to the product Security Bulletins for additional statements regarding risk.

Mitigation / Recommended Action

Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.

Related CVEs / CWEs / Advisories

CVE-2020-25606 CVE-2020-25608 CVE-2020-25609 CVE-2020-25610 CVE-2020-25611 CVE-2020-25612 CVE-2020-27340

Revision History

Version

Date

Description

1.0

2020-11-12

Initial version

First Name

Last Name

Email Address

Relationship to Mitel

By providing the above information, you agree that we may process your personal data in accordance with our Privacy Policy.

Do you agree to the terms and conditions of using our services?

Search

Select your Region/Country/Language

Americas

Europe

Oceania