Advisory ID: 20-0005
Publish Date: 2020-05-01
Last Updated: 2020-05-01
A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit could allow an attacker to access sensitive information from the restricted directories (CVE-2020-11798).
Credit is given to Tri Bui, an Independent Security Researcher, for highlighting this issue and bringing this to our attention.
Following vulnerability was privately reported:
An Authentication Bypass vulnerability in the Published Area of the web conferencing component of Mitel MiCollab AWV before 126.96.36.199 and 9.x before 9.1.3 could allow an unauthenticated attacker to gain access to unauthorized information due to insufficient access validation. A successful exploit could allow an attacker to access sensitive shared files (CVE-2020-11797).
Mitel is recommending customers with affected product versions, update to the latest release.
Security Bulletins are being issued for the following products:
|Product Name||Product Version||Security Bulletin||Last Updated|
MiCollab 8.1.2 and earlier
MiCollab 9.1.2 and earlier
Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.
Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.