Mitel Product Security Advisory 20-0005

MiCollab Multiple Security Vulnerabilities

Advisory ID: 20-0005

Publish Date: 2020-05-01

Last Updated: 2020-05-01

Revision: 1.0

 

Summary

A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit could allow an attacker to access sensitive information from the restricted directories (CVE-2020-11798).

Credit is given to Tri Bui, an Independent Security Researcher, for highlighting this issue and bringing this to our attention.

Following vulnerability was privately reported:

An Authentication Bypass vulnerability in the Published Area of the web conferencing component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an unauthenticated attacker to gain access to unauthorized information due to insufficient access validation. A successful exploit could allow an attacker to access sensitive shared files (CVE-2020-11797).

Mitel is recommending customers with affected product versions, update to the latest release.

 

 

Affected Products

Security Bulletins are being issued for the following products:

 

Risk Assessment

The risks for these vulnerabilities are rated from Medium to High. Refer to the product Security Bulletins for additional statements regarding risk.

 

Mitigation / Recommended Action

Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.

 

 

External References

N/A

 

Related CVEs / CWEs / Advisories

CVE-2020-11798 CVE-2020-11797

 

Revision History

Version Date Description
1.0 2020-05-01 Initial Version
Ready to talk to sales? Contact us.