Mitel Product Security Advisory 21-0005

Mitel MiCollab Multiple Security Vulnerabilities

Advisory ID: 21-0005

Publish Date: 2021-05-24

Last Updated: 2021-05-24

Revision: 1.0

Summary

Following multiple vulnerabilities were privately reported to Mitel
The MiCollab Client Service component in Mitel MiCollab could allow an attacker to view sensitive system information through an HTTP response due to insufficient output sanitization.

The MiCollab Client Service component in Mitel MiCollab could allow an attacker to get source code information (disclosing sensitive application data) due to insufficient output sanitization. A successful exploit could allow an attacker to view source code methods
The AWV and MiCollab Client Service components in Mitel MiCollab could allow an attacker to perform a Man-In-the-Middle attack by sending multiple session renegotiations requests due to insufficient TLS session controls. A successful exploit could allow an attacker to modify application data and state.

The MiCollab Client service in Mitel MiCollab could allow an unauthenticated user to gain system access due to improper access control. A successful exploit could allow an attacker to view and modify application data and cause a denial of service for users.

The AWV component of Mitel MiCollab could allow an attacker to perform a Man-In-the-Middle attack due to improper TLS negotiation. A successful exploit could allow an attacker to view and modify data.

The MiCollab Client Service component in Mitel MiCollab could allow an attacker to perform a clickjacking attack due to insecure header response. A successful exploit could allow an attacker to modify the browser header and redirect users.

Mitel is recommending customers with affected product versions to update to the latest release.

Affected Products

Product Name

Product Version

Security Bulletin

Last Updated

MiCollab

MiCollab 9.2 FP2 and earlier

2021-05-24

Risk Assessment

The risks for these vulnerabilities are rated from Medium to High. Refer to the product Security Bulletins for additional statements regarding risk.

Mitigation / Recommended Action

Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.

External References

N/A

Related CVEs / CWEs / Advisories

CVE-2021-32067 CVE-2021-32072 CVE-2021-32068 CVE-2021-32071 CVE-2021-32069 CVE-2021-32070

Revision History

Version	Date	Description
1.0	2021-05-24	Initial version

Version

Date

Description

1.0

2021-05-24

Initial version

First Name

Last Name

Email Address

Relationship to Mitel

By providing the above information, you agree that we may process your personal data in accordance with our Privacy Policy.

Do you agree to the terms and conditions of using our services?

Search

Select your Region/Country/Language

Americas

Europe

Oceania