Mitel Product Security Advisory MISA-2024-0025
Mitel Product Security Advisory MISA-2024-0025
MiCollab CRLF Injection Vulnerability
Advisory ID: MISA-2024-0025
Publish Date: 2024-10-09
Last Updated: 2024-10-09
Revision: 1.0
Summary
A CRLF injection vulnerability in the Audio, Web and Video Conferencing (AWV) component of Mitel MiCollab could allow an unauthenticated attacker to conduct a phishing attack due to inadequate encoding of user input in URLs.
A successful exploit could allow an impact on the integrity of the user interaction. There is no impact to the confidentiality or the availability of the system.
This vulnerability requires an attacker to send a maliciously crafted URL to the victim and deceive them into clicking it. The attack’s success depends on the victim’s interaction. A successful exploit of this vulnerability could allow an attacker to redirect users to malicious websites.
The vulnerability severity is rated as medium.
Mitel is recommending customers with affected product versions update to the latest release.
Credit is given to Patrick Webster of OSI Security for highlighting these issues and bringing these to our attention.
Affected Products
This security advisory provides information on the following products:
| Product Name | Version(s) Affected | Solution(s) Available |
|---|---|---|
| MiCollab | 9.8 SP1 FP2 (9.8.1.201) and earlier | Upgrade to MiCollab 9.8 SP2 (9.8.2.12) or later |
Product statements are related only to supported product versions. Products which have reached End of Support status are not considered.
Vulnerability Severity
The following products have been identified as affected:
| Product Name | CVE ID | Severity | CVSS 3.1 Base Score |
|---|---|---|---|
| MiCollab | CVE-2024-47224 | Medium / 6.5 | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
The vulnerability severity is rated as medium.
Solution/ Recommended Action
This issue is corrected in MiCollab 9.8 SP2 (9.8.2.12). Customers are advised to upgrade to this or subsequent releases.
Please see Mitel Knowledge Base article SO8232, “MiCollab Security Update CVE-2024-47224 - CRLF Injection Vulnerability” https://mitel.custhelp.com/app/answers/answer_view/a_id/1021023
If you do not have access to this link, please contact your Mitel Authorized Partner for support.
For further information, please contact Mitel Product Support.
Related CVEs / CWEs / Advisories
CVE-2024-47224
Revision History
| Version | Date | Description |
|---|---|---|
| 1.0 | 2024-10-09 | Initial release |
The information provided in this advisory is provided "as is" without warranty of any kind. The information is subject to change without notice. Mitel and its affiliates do not guarantee and accept no legal liability whatsoever arising from or connected to the accuracy, reliability, currency or completeness of the information provided. No part of this document can be reproduced or transmitted in any form or by any means - electronic or mechanical - for any purpose without written permission from Mitel Networks Corporation.