SSRF/XSPA Vulnerability in MiContact Center Business

Advisory ID: 17-0012
Publish Date: 2017-12-08
Revision: 1.0


Summary

A security vulnerability has been identified in the MiContact Center Business that permits Server Side Request Forgery (SSRF) and Cross Site Persistent Access (XSPA). This could permit an attacker to supply or modify a URL which the code running on the server will read or submit data to. It may allow an attacker to read server configuration metadata, to connect to internal services and internal databases.

Credit is given to Jamieson O’Reilly of Content Protection (Australia) for identifying this vulnerability and bringing this to our attention.

Affected Products

A Security Bulletin has been issued for the following product:

 

Product Name Product Versions Security Bulletin  Last Updated 
MiContact Center Business  8.0.0.0 thru 8.1.3.0  17-0012-001  2017-12-08 

 

Risk Assessment

The risk of this vulnerability is rated as high. Refer to the related product Security Bulletin for additional statements regarding risk.

Mitigation / Recommended Action
Mitel has issued an updated release of the affected software. Customers are advised to update their software to the latest version.

An immediate mitigation strategy is to block external access to the web portal, or to disable the chat functionality. However, this will impact chat services provided by this unit.

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.

External References

https://www.owasp.org/index.php/Server_Side_Request_Forgery

Related CVEs / CWEs / Advisories

CWE-918

Ready to talk to sales? Contact us.