Mitel Product Security Advisory MISA-2025-0010
MiContact Center Business and Mitel CX Cross Site Scripting (XSS) Vulnerability
Advisory ID: MISA-2025-0010
Publish Date: 2025-12-10
Last Updated: 2025-12-10
Revision: 1.0
Summary
A cross-site scripting (XSS) vulnerability has been identified in the Ignite Mail component of the MiContact Center Business and Mitel CX which, if successfully exploited, could allow an unauthenticated attacker to conduct a stored cross-site scripting (XSS) attack due to insufficient input validation.
A successful exploit of this vulnerability requires user interaction and could allow an attacker to execute arbitrary scripts in the victim’s browser or desktop client application, potentially leading to unauthorized access to sensitive information.
This issue impacts only deployments with a multimedia license that have configured and are using email in Web Ignite, Desktop Ignite or Contact Center Client for MiContact Center Business or Mitel CX.
The vulnerability severity is rated as high.
Mitel is recommending customers with affected product versions apply the fixes in the highlighted solution.
Affected Products and Solutions
This security advisory provides information on the following products:
| PRODUCT NAME | VERSION(S) AFFECTED | SOLUTION(S) AVAILABLE |
| MiContact Center Business | Version 10.2 FP10 (10.2.0.10) and earlier | Mitel has provided hotfixes KB20257760, KB573971, KB573970, and KB573969 that are available for releases 10.2.0.10, 10.1.0.5, 10.0.0.4, and 9.5.0.3, respectively. Upgrade to one of these releases and apply the provided hotfix, or upgrade to a later release. Upgrade to MiContact Center Business version 10.2 FP 11 (10.2.0.11) or later when available. |
| Mitel CX | Version 1.1 FP1 (1.1.0.1) and earlier | Mitel has provided hotfixes KB20254739 that are available for release CX 1.1.0.1. Upgrade to this release and apply the provided hotfix, or upgrade to a later release. Upgrade to MCX 2.0 or later when available. |
This issue impacts only deployments with a multimedia license that have configured and are using email in Web Ignite, Desktop Ignite or Contact Center Client for MiContact Center Business or Mitel CX.
Product statements are related only to supported product versions. Products which have reached End of Support status are not considered.
Vulnerability Severity
The following products have been identified as affected:
| PRODUCT NAME | CVE ID | SEVERITY | CVSS 3.1 BASE SCORE |
| MiContact Center Business | CVE requested | High / 8.2 | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N |
| Mitel CX | CVE requested | High / 8.2 | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N |
The vulnerability severity is rated as high.
Solution/ Recommended Action
For customer using MiContact Center Business:
- Mitel has provided hotfixes KB20257760 , KB573971 , KB573970, and KB573969 that are available for releases 10.2.0.10, 10.1.0.5, 10.0.0.4, and 9.5.0.3, respectively. Upgrade to these releases and apply the provided fix.
- This issue is corrected in version 10.2 FP 11 (10.2.0.11). Customers are advised to upgrade to this or subsequent releases when available,
For customer using Mitel CX:
- Mitel has provided hotfixes KB20254739 that are available for releases CX 1.1.0.1. Upgrade to this release and apply the provided hotfix.
- This issue is corrected in MitelCX version 2.0. Customers are advised to upgrade to this or subsequent releases when available.
Please see Mitel Knowledge Base article KB000126140 "MiContact Center Business and Mitel CX, Security Update" https://mitel.service-now.com/kb_view.do?sysparm_article=KB000126140
If you do not have access to this link, please contact your Mitel Authorized Partner for support.
For further information, please contact Mitel Product Support.
Revision History
Version | Date | Description |
1.0 | 2025-12-10 | Initial release |
Publisher and Legal Disclaimer
Publisher: Mitel PSIRT / [email protected]
The information provided in this advisory is provided "as is" without warranty of any kind. The information is subject to change without notice. Mitel and its affiliates do not guarantee and accept no legal liability whatsoever arising from or connected to the accuracy, reliability, currency or completeness of the information provided. No part of this document can be reproduced or transmitted in any form or by any means - electronic or mechanical - for any purpose without written permission from Mitel Networks Corporation.