MiCollab SQL Injection and Stored XSS vulnerabilities
Advisory ID: 18-0011
Publish Date: 2018-10-31
Last Updated: 2018-10-31
An SQL injection and a stored Cross Site Scripting (XSS) vulnerability have been identified in the conference component of MiCollab. These vulnerabilities if exploited could lead to exposure of sensitive information in the database or an attack against the user of the web browser.
To successfully exploit the SQL injection vulnerability, an authenticated attacker could send specially crafted URL parameters. This vulnerability could lead to the exposure and modification of sensitive information stored in the database.
To successfully exploit the stored XSS vulnerability, an authenticated attacker must enter malicious code into the database. When the user’s browser renders data, the vulnerability could allow an injected malicious script to execute in the context of the user’s browser, allowing disclosure and modification of data, and impacting the availability of the component for the impacted user.
Mitel is not aware of customers that have been impacted by this vulnerability.
Mitel is recommending customers with affected product versions update to the latest release.
A Security Bulletin is being issued for the following product:
|Product Name||Product Versions||Security Bulletin||Last Updated|
8.0 (126.96.36.199) through 8.0 SP2 FP1 (188.8.131.52);
7.3 PR6 (184.108.40.2061) and earlier
8.0 (220.127.116.11) through 8.0 SP2 (18.104.22.168);
7.3 PR3 (22.214.171.1242) and earlier
|MiVoice Business Express|
The risk of these vulnerabilities is rated as High. Refer to the product Security Bulletin for additional statements regarding risk.
Mitigation / Recommended Action
Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.
Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.