Mitel Product Security Advisory 21-0005
Mitel Product Security Advisory 21-0005
Mitel MiCollab Multiple Security Vulnerabilities
Advisory ID: 21-0005
Publish Date: 2021-05-24
Last Updated: 2021-05-24
Revision: 1.0
Summary
Following multiple vulnerabilities were privately reported to Mitel
The MiCollab Client Service component in Mitel MiCollab could allow an attacker to view sensitive system information through an HTTP response due to insufficient output sanitization.
The MiCollab Client Service component in Mitel MiCollab could allow an attacker to get source code information (disclosing sensitive application data) due to insufficient output sanitization. A successful exploit could allow an attacker to view source code methods
The AWV and MiCollab Client Service components in Mitel MiCollab could allow an attacker to perform a Man-In-the-Middle attack by sending multiple session renegotiations requests due to insufficient TLS session controls. A successful exploit could allow an attacker to modify application data and state.
The MiCollab Client service in Mitel MiCollab could allow an unauthenticated user to gain system access due to improper access control. A successful exploit could allow an attacker to view and modify application data and cause a denial of service for users.
The AWV component of Mitel MiCollab could allow an attacker to perform a Man-In-the-Middle attack due to improper TLS negotiation. A successful exploit could allow an attacker to view and modify data.
The MiCollab Client Service component in Mitel MiCollab could allow an attacker to perform a clickjacking attack due to insecure header response. A successful exploit could allow an attacker to modify the browser header and redirect users.
Mitel is recommending customers with affected product versions to update to the latest release.
Affected Products
| Product Name | Product Version | Security Bulletin | Last Updated |
|---|---|---|---|
| MiCollab | MiCollab 9.2 FP2 and earlier | 2021-05-24 |
Risk Assessment
The risks for these vulnerabilities are rated from Medium to High. Refer to the product Security Bulletins for additional statements regarding risk.
Mitigation / Recommended Action
Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.
Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.
External References
N/A
Related CVEs / CWEs / Advisories
CVE-2021-32067
CVE-2021-32072
CVE-2021-32068
CVE-2021-32071
CVE-2021-32069
CVE-2021-32070
Revision History
| Version | Date | Description |
|---|---|---|
| 1.0 |
2021-05-24 | Initial version |