Mitel Product Security Advisory 18-0003

MiVoice Connect and ST 14.2 SQL Injection and Reflected XSS Vulnerabilities

Advisory ID: 18-0003
Publish Date: 2018-01-31
Revision: 2.0

Summary

An SQL injection vulnerability and Reflected Cross Site Scripting (XSS) vulnerabilities have been identified in MiVoice Connect (formerly named Connect ONSITE) and ST 14.2. These vulnerabilities could lead to exposure of user information stored in the database.

This vulnerability was privately reported to Mitel. Mitel is not aware of customers that have been impacted by this vulnerability.

Mitel is recommending customers with affected product versions update to the latest release.

Credit is given to Kevin McFarland of Sage Data Security for highlighting these issues and bringing these to our attention.

Affected Products

A Security Bulletin is being issued for the following product:

Product Name	Product Versions	Security Bulletin	Last Updated
MiVoice Connect (formerly Connect ONSITE)	R1707-PREM SP1 (21.84.5535.0) and earlier	18-0003-001	2018-04-18
ST14.2	GA27 (19.49.5200.0) and earlier

Risk Assessment

The risk of these vulnerabilities is rated as high. Refer to the product Security Bulletin for additional statements regarding risk.

Mitigation / Recommended Action

Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.

Customers are advised to review the product Security Bulletin. For details on upgrading to the latest MiVoice Connect release, please review the Connect software download page on the partner portal and/or contact your partner or Mitel customer support at: https://oneview.mitel.com/s/support.

External References
n/a

Related CVEs / CWEs / Advisories

CVE-2018-9101
CVE-2018-9102
CVE-2018-9103
CVE-2018-9104

Revision History

Version	Date	Description
2.0	2018-04-18	Corrected impacted versions; added CVE IDs; updated product name
1.0	2018-01-31	Initial version

Attachment(s)

Security Bulletin for MiVoice Connect and ST14.2

Weshalb Mitel

Produkte und Services

Partnering

Kunden

Ressourcen

Ihr Branche

Größe Ihres Unternehmens

Ihr Geschäftsbedarf

Produkte

Services

Partnerschaften mit Mitel

Partner-Unterstützung

Partnerschulung

Mitel Solutions Alliance

CloudLink-Entwickler

CLIMB

Kunden-Ressourcen

Erweiterung der Fähigkeiten

Karriere

Pressemitteilungen

Document Center

Security Advisories

Blog

Resource Center

Gesundheitswesen

Finanzdienstleistungen

Behörden

Gastgewerbe

Bildungseinrichtungen

Business-Voice Plattformen & Lösungen

Collaboration und Meetings

Kontakt Center

Telefone und Zubehör

Missions-kritische und Branchen-Lösungen

Nach Lebenszyklusphase

Ausgewählt

MiVoice Connect and ST 14.2 SQL Injection and Reflected XSS Vulnerabilities

Möchten Sie mit unserem Sales Team sprechen?