XML External Entity (XXE) Vulnerability in MiCollab AWV

Advisory ID: 18-0002
Publish Date: 2018-01-31
Revision: 1.0


Summary


An XML External Entity (XXE) vulnerability has been identified in MiCollab AWV which allows a remote unauthenticated user to perform directory traversal in order to read and execute XML files within the system. This vulnerability allows remote unauthenticated attackers to read and execute the content of sensitive files by uploading malicious XML files to the server.

This vulnerability was privately reported to Mitel. At time of publishing, Mitel is not aware of customers that have been impacted by this vulnerability.

Mitel is recommending customers with affected product versions update to the latest release.

Credit and thanks are extended to Zakaria Amous of Secureworks® for bringing this to our attention.

Affected Products

A Security Bulletins is being issued for the following products:

Product Name  Product Versions  Security Bulletin  Last Updated 
MiCollab 8.0 thru 8.0 FP2
7.2 thru 7.3 PR4 		18-0002-001 2018-01-31
 MiCollab AWV  8.0 thru 8.0 FP2
6.2 thru 6.3 PR4		    
 MiVoice Business Express  8.0 thru 8.0 FP1
7.2 thru 7.3 PR2		    


Risk Assessment

The risk of this vulnerability is rated as high.

Refer to the product Security Bulletin for additional statements regarding risk.

Mitigation / Recommended Action

Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.

External References

n/a

Related CVEs / CWEs / Advisories

CWE-918

Revision History

 Version Date  Description 
 1.0  2018-01-31  Initial version

 

Attachment(s)

Security Bulletin 18-0002


Neem contact op met Mitel
Vind een partner +31 (0)88 235 6483 Contact