Mitel Product Security Advisory MISA-2026-0001
MiContact Center Business and Mitel CX Reflected Cross Site Scripting (XSS) Vulnerability
Advisory ID: MISA-2026-0001
Publish Date: 2026-03-18
Last Updated: 2026-03-18
Revision: 1.0
Summary
A cross-site scripting (XSS) vulnerability has been identified in the Legacy Chat component of the MiContact Center Business and Mitel CX, which, if successfully exploited, could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient input validation.
A successful exploit of this vulnerability requires user interaction and could allow an attacker to execute arbitrary scripts, potentially leading to unauthorized access to obtain sensitive information, view or send chat messages, or change agent configuration.
The vulnerability severity is rated as high.
Mitel is recommending customers with affected product versions apply the fixes in the highlighted solution.
Affected Products and Solutions
This security advisory provides information on the following products:
| PRODUCT NAME | VERSION(S) AFFECTED | SOLUTION(S) AVAILABLE |
| Mitel CX | Version 2.0.0.1 and earlier | Mitel has provided hotfixes KB20266934 and KB20267102 that are available for releases 2.0.0.1 and 1.1.0.1, respectively. Upgrade to one of these releases and apply the provided hotfix, or upgrade to a later release. Upgrade to MCX 2.1 or later when available. |
| MiContact Center Business | Version 10.2.0.11 and earlier | Upgrade to MiContact Center Business version 10.2.0.12 or later. Alternative Solution: Mitel has provided hotfixes KB574059, KB574060, and KB574061 that are available for releases 10.1.0.5, 10.0.0.4, and 9.5.0.3, respectively. Upgrade to one of these releases and apply the provided hotfix, or upgrade to a later release. |
This issue only impacts deployments using the Legacy Chat component.
Product statements are related only to supported product versions. Products which have reached End of Support status are not considered.
Vulnerability Severity
The following products have been identified as affected:
| PRODUCT NAME | CVE ID | SEVERITY | CVSS 3.1 BASE SCORE |
| Mitel CX | CVE requested | High / 8.3 | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L |
| MiContact Center Business | CVE requested | High / 8.3 | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L |
The vulnerability severity is rated as high.
Mitigations / Workarounds
The risk may be mitigated by following the instructions found in the Security KB article.
The risk may also be mitigated by turning off the Legacy Chat or converting to the CloudLink Contact Center Messenger Chat.
Solution/ Recommended Action
For customer using Mitel CX:
- Mitel has provided hotfixes KB20266934 and KB20267102 that are available for releases 2.0.0.1 and 1.1.0.1, respectively. Upgrade to one of these releases and apply the provided hotfix.
- This issue is corrected in Mitel CX version MCX 2.1. Customers are advised to upgrade this or subsequent releases when available.
For customer using MiContact Center Business:
- This issue is corrected in MiContact Center Business version 10.2.0.12. Customers are advised to upgrade to this or subsequent releases.
- Mitel has provided hotfixes KB574059, KB574060, and KB574061 that are available for releases 10.1.0.5, 10.0.0.4, and 9.5.0.3, respectively. Upgrade to these releases and apply the provided fix.
Please see Mitel Knowledge Base article KB000127190 "MiContact Center Business and Mitel CX, Security Update"
If you do not have access to this link, please contact your Mitel Authorized Partner for support.
For further information, please contact Mitel Product Support.
Revision History
Version | Date | Description |
|---|---|---|
1.0 | 2026-03-18 | Initial release |
Publisher and Legal Disclaimer
Publisher: Mitel PSIRT / [email protected]
The information provided in this advisory is provided "as is" without warranty of any kind. The information is subject to change without notice. Mitel and its affiliates do not guarantee and accept no legal liability whatsoever arising from or connected to the accuracy, reliability, currency or completeness of the information provided. No part of this document can be reproduced or transmitted in any form or by any means - electronic or mechanical - for any purpose without written permission from Mitel Networks Corporation.