Mitel Product Security Advisory 17-0012
SSRF/XSPA Vulnerability in MiContact Center Business
Advisory ID: 17-0012
Publish Date: 2017-12-08
Revision: 1.0
Summary
A security vulnerability has been identified in the MiContact Center Business that permits Server Side Request Forgery (SSRF) and Cross Site Persistent Access (XSPA). This could permit an attacker to supply or modify a URL which the code running on the server will read or submit data to. It may allow an attacker to read server configuration metadata, to connect to internal services and internal databases.
Credit is given to Jamieson O’Reilly of Content Protection (Australia) for identifying this vulnerability and bringing this to our attention.
Affected Products
A Security Bulletin has been issued for the following product:
| Product Name | Product Versions | Security Bulletin | Last Updated |
| MiContact Center Business | 8.0.0.0 thru 8.1.3.0 | 17-0012-001 | 2017-12-08 |
Risk Assessment
The risk of this vulnerability is rated as high. Refer to the related product Security Bulletin for additional statements regarding risk.
Mitigation / Recommended Action
Mitel has issued an updated release of the affected software. Customers are advised to update their software to the latest version.
An immediate mitigation strategy is to block external access to the web portal, or to disable the chat functionality. However, this will impact chat services provided by this unit.
Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.
External References
https://www.owasp.org/index.php/Server_Side_Request_Forgery
Related CVEs / CWEs / Advisories
CWE-918