Americas
Europe
Oceania
+31 88 235 6483
+31 88 235 6483
Contact Center
Samenwerken
Zakelijke telefoonsystemen
Devices & accessoires
Vragen of opmerkingen?
+31 88 235 6483
Uw zakelijke behoefte
Uw branche
Organisatiegrootte
Onze diensten
Onze producten
Support voor klanten
Partner support
Training
Contact
Blog
Over Mitel
Vacatures
Case studies
Resource center
Summary
An XML External Entity (XXE) vulnerability has been identified in MiCollab AWV which allows a remote unauthenticated user to perform directory traversal in order to read and execute XML files within the system. This vulnerability allows remote unauthenticated attackers to read and execute the content of sensitive files by uploading malicious XML files to the server.
This vulnerability was privately reported to Mitel. At time of publishing, Mitel is not aware of customers that have been impacted by this vulnerability.
Mitel is recommending customers with affected product versions update to the latest release.
Credit and thanks are extended to Zakaria Amous of Secureworks® for bringing this to our attention.
Affected Products
A Security Bulletins is being issued for the following products:
Product Name | Product Versions | Security Bulletin | Last Updated |
MiCollab | 8.0 thru 8.0 FP2 7.2 thru 7.3 PR4 |
18-0002-001 | 2018-01-31 |
MiCollab AWV | 8.0 thru 8.0 FP2 6.2 thru 6.3 PR4 |
||
MiVoice Business Express | 8.0 thru 8.0 FP1 7.2 thru 7.3 PR2 |
Risk Assessment
The risk of this vulnerability is rated as high.
Refer to the product Security Bulletin for additional statements regarding risk.
Mitigation / Recommended Action
Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.
Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.
External References
n/a
Related CVEs / CWEs / Advisories
CWE-918
Revision History
Version | Date | Description |
1.0 | 2018-01-31 | Initial version |
Attachment(s)