Advisory ID: 18-0005
Publish Date: 2018-03-06
A blind Cross-site Scripting (XSS) vulnerability has been identified in Mitel for Salesforce softphone component used with Connect ONSITE and ST 14.2. To successfully exploit this vulnerability, an attacker must enter malicious code into the database. When the Mitel for Salesforce softphone component renders data in the browser, the vulnerability could allow an injected malicious script to execute in the context of the integration allowing disclosure and modification of data, and impacting the availability of the component for the impacted user.
This vulnerability was privately reported to Mitel. Mitel is not aware of customers that have been impacted by this vulnerability.
Mitel has made available an updated release to address this vulnerability.
Credit is given to Ben Sadeghipour - NahamSec.com for the discovery.
A Security Bulletin is being issued for the following product:
|Product Name||Product Versions||Security Bulletin||Last Updated|
|Mitel for Salesforce||22.214.171.124 and earlier||18-0005-001||2018-03-06|
The risk of this vulnerability is rated as high. Refer to the product Security Bulletin for additional statements regarding risk.
Mitigation / Recommended Action
Mitel has made available an updated release to address this vulnerability. In most cases, this update will be automatically deployed to users. Customers who are concerned should review the Security Bulletin for steps to verify and if required update their Mitel for SalesForce software.
Customers are advised to review the product Security Bulletin. For additional information, contact your partner or Mitel customer support at: https://oneview.mitel.com/s/support.
Related CVEs / CWEs / Advisories