Following multiple vulnerabilities were privately reported:

Multiple vulnerabilities have been addressed in Mitel MiCollab:

A Cross-site scripting vulnerability in the AWV component of Mitel MiCollab could allow an attacker to view system information by sending arbitrary codes, due to improper input validation. A successful exploit could allow an attacker to view system information.

Credit is given to Youssef A. Mohamed (GeneralEG) from Buguard Labs, for highlighting this issue and bringing this to our attention.


The AWV component of Mitel MiCollab could allow an attacker to gain access to a web conference due to insufficient access controls for conference codes. A successful exploit could allow an attacker to gain access to an unsecured conference. As an additional security measure, Mitel recommends to secure conferences by setting up conference passwords.

Credit is given to Vladimir Toutain of Certilience, for highlighting this issue and bringing this to our attention.


Following multiple vulnerabilities were privately reported:

The NuPoint Messenger of Mitel MiCollab could allow an attacker with escalated privileges to access user files due to insufficient access control. A successful exploit could potentially allow an attacker to gain access to sensitive information.

A Cross-site scripting vulnerability in the AWV portal of Mitel MiCollab could allow an attacker to gain access to conference information by sending arbitrary codes due to improper input validation. A successful exploit could allow an attacker to view user conference information.

The online help portal of Mitel MiCollab could allow an attacker to redirect a user to an unauthorized website by executing malicious scripts due to insufficient access control. A successful exploit could allow an attacker to do an unauthorized URL redirection to a potentially malicious website.

A Cross-site scripting vulnerability in the NuPoint Messenger Portal of Mitel MiCollab could allow an authenticated attacker to execute arbitrary scripts due to insufficient input validation. A successful exploit could allow an attacker to view and modify user data.

An SQL Injection vulnerability in the SAS portal of Mitel MiCollab could allow an attacker to access user credentials due to improper input validation. A successful exploit could allow an attacker to gain unauthorized access to sensitive information.

Mitel is recommending customers with affected product versions to update to the latest release.

Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions. 

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.