ST 14.2 Reflected XSS Vulnerability

Advisory ID: 18-0007

First Issue Date: 2018-09-04

Last Updated: 2018-09-04

Revision: 1.0

Summary

A Reflected Cross Site Scripting (XSS) vulnerability has been identified in ST 14.2. This vulnerability could lead to exposure of user information by allowing an unauthenticated, remote attacker to conduct an attack against the user of the web browser. An attacker who can convince a user to follow an attacker-supplied link that could execute arbitrary script or HTML code in the user’s browser.

This vulnerability was privately reported to Mitel. Mitel is not aware of customers that have been impacted by this vulnerability.

Mitel is recommending customers with affected product versions update to the latest release.

Credit is given to Harrison Coale of Secureworks for highlighting this issue and bringing this to our attention.

Affected Products

A Security Bulletin is being issued for the following product:

Product Name  Product Versions  Security Bulletin  Last Updated 
 ST 14.2  GA29 (19.49.9400.0) and earlier  18-0007-001  2018-09-04

Risk Assessment

The risk of this vulnerability is rated as moderate. Refer to the product Security Bulletin for additional statements regarding risk.

Mitigation / Recommended Action

Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.

Customers are advised to review the product Security Bulletin. For details on upgrading to the latest ST 14.2 release, please review the software download page on the partner portal and/or contact your partner or Mitel customer support at: https://oneview.mitel.com/s/support.

External References

n/a

Related CVEs / CWEs / Advisories

CVE-2018-12901

Revision History

Version  Date  Description 
1.0  2018-09-04  Initial version 

 

Attachment(s)

SECURITY BULLETIN ID: 18-0007-001

Ready to talk to sales? Contact us.