Mitel Product Security Advisory 21-0005

Mitel MiCollab Multiple Security Vulnerabilities

Advisory ID: 21-0005

Publish Date: 2021-05-24

Last Updated: 2021-05-24

Revision: 1.0

 

Summary

Following multiple vulnerabilities were privately reported to Mitel
The MiCollab Client Service component in Mitel MiCollab could allow an attacker to view sensitive system information through an HTTP response due to insufficient output sanitization.

The MiCollab Client Service component in Mitel MiCollab could allow an attacker to get source code information (disclosing sensitive application data) due to insufficient output sanitization. A successful exploit could allow an attacker to view source code methods
The AWV and MiCollab Client Service components in Mitel MiCollab could allow an attacker to perform a Man-In-the-Middle attack by sending multiple session renegotiations requests due to insufficient TLS session controls. A successful exploit could allow an attacker to modify application data and state.

The MiCollab Client service in Mitel MiCollab could allow an unauthenticated user to gain system access due to improper access control. A successful exploit could allow an attacker to view and modify application data and cause a denial of service for users.

The AWV component of Mitel MiCollab could allow an attacker to perform a Man-In-the-Middle attack due to improper TLS negotiation. A successful exploit could allow an attacker to view and modify data.

The MiCollab Client Service component in Mitel MiCollab could allow an attacker to perform a clickjacking attack due to insecure header response. A successful exploit could allow an attacker to modify the browser header and redirect users.

Mitel is recommending customers with affected product versions to update to the latest release.

 

Affected Products

 

Risk Assessment

The risks for these vulnerabilities are rated from Medium to High. Refer to the product Security Bulletins for additional statements regarding risk.

 

Mitigation / Recommended Action

Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.

 

External References

N/A

 

Related CVEs / CWEs / Advisories

CVE-2021-32067 CVE-2021-32072 CVE-2021-32068 CVE-2021-32071 CVE-2021-32069 CVE-2021-32070

 

Revision History

Version Date Description
1.0

 

2021-05-24

 
Initial version
Prêt à discuter ? Contactez-nous.