Mitel Product Security Advisory 18-0011

MiCollab SQL Injection and Stored XSS vulnerabilities

Advisory ID: 18-0011
Publish Date: 2018-10-31
Last Updated: 2018-10-31
Revision: 1.0

Summary

An SQL injection and a stored Cross Site Scripting (XSS) vulnerability have been identified in the conference component of MiCollab. These vulnerabilities if exploited could lead to exposure of sensitive information in the database or an attack against the user of the web browser.

To successfully exploit the SQL injection vulnerability, an authenticated attacker could send specially crafted URL parameters. This vulnerability could lead to the exposure and modification of sensitive information stored in the database.

To successfully exploit the stored XSS vulnerability, an authenticated attacker must enter malicious code into the database. When the user’s browser renders data, the vulnerability could allow an injected malicious script to execute in the context of the user’s browser, allowing disclosure and modification of data, and impacting the availability of the component for the impacted user.

Mitel is not aware of customers that have been impacted by this vulnerability.

Mitel is recommending customers with affected product versions update to the latest release.

Affected Products

A Security Bulletin is being issued for the following product:

Product Name    Product Versions Security Bulletin  Last Updated 
MiCollab

8.0 (8.0.0.40) through 8.0 SP2 FP1 (8.0.2.101);

7.3 PR6 (7.3.0.601) and earlier

8.0 (8.0.0.40) through 8.0 SP2 (8.0.2.102);

7.3 PR3 (7.3.1.302) and earlier

18-0011-001 2018-10-31
 MiVoice Business Express      

 

Risk Assessment

The risk of these vulnerabilities is rated as High. Refer to the product Security Bulletin for additional statements regarding risk.

Mitigation / Recommended Action

Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.

External References

n/a

Related CVEs / Advisories

n/a

Revision History

Version  Date  Description 
1.0  2018-10-31  Initial version 


Ready to talk to sales? Contact us.
(844) 319-5912 Email Us