Connect OnSite and ST 14.2 Multiple PHP Vulnerabilities

Advisory ID: 18-0004
Publish Date: 2018-03-06
Revision: 1.0

Summary

Multiple PHP injection and malicious file upload vulnerabilities have been identified in Connect ONSITE and ST 14.2. These vulnerabilities could allow a malicious actor to execute arbitrary code in the context of the application allowing disclosure and modification of data and impacting the availability of the system.

These vulnerabilities were privately reported to Mitel. Mitel is not aware of customers that have been impacted by this vulnerability.

Mitel is recommending customers with affected product versions update to the latest release.

Credit is given to Jared McLaren of SecureWorks for highlighting these issues and bringing these to our attention.

Affected Products

A Security Bulletin is being issued for the following product:

Product Name  Product Versions  Security Bulletin  Last Updated 
Connect ONSITE ST14.2 18-0004 -001   2018-03-06 

Risk Assessment

The risk of these vulnerabilities is rated as high. Refer to the product Security Bulletin for additional statements regarding risk.

Mitigation / Recommended Action

Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.

Customers are advised to review the product Security Bulletin. For details on upgrading to the latest Connect ONSITE release, please review the Connect software download page on the partner portal and/or contact your partner or Mitel customer support at: https://oneview.mitel.com/s/support.

External References
n/a

Related CVEs / CWEs / Advisories
CVE-2018-5779
CVE-2018-5780
CVE-2018-5781
CVE-2018-5782
CVE-2017-16250
CVE-2017-16251

Revision History

Version  Date  Description 
 1.0 2018-03-06 Initial version

 

Attachment(s)

Security Bulletin-18-0004

 


Stay One Step Ahead

Ready to talk to sales? Contact us.
Find a Partner (844) 319-5912 Email Us