Mitel Product Security Advisory 19-0007

MiCollab SQL injection and XSS vulnerabilities

Advisory ID: 19-0007

First Issue Date: 2019-12-20

Last Updated: 2019-12-20

Revision: 1.0

 

Summary

Multiple vulnerabilities were identified in MiCollab AWV.

A SQL injection vulnerability in the web conferencing component of Mitel MiCollab AWV could allow an unauthenticated attack due to insufficient input validation for the session parameter. A successful exploit could allow an attacker to extract sensitive information from the database and execute arbitrary scripts. (CVE-2019-19607)

Credit is given to Patrick Webster from OSI Security for highlighting this issue and bringing this to our attention.

The following two vulnerabilities were privately reported to Mitel.

A SQL injection vulnerability in in the web conferencing component of Mitel MiCollab AWV could allow an unauthenticated attack due to insufficient input validation for the registeredList.cgi page. A successful exploit could allow an attacker to extract sensitive information from the database and execute arbitrary scripts. (CVE-2019-19608)

A cross-site scripting (XSS) vulnerability in the web conferencing component of Mitel MiCollab AWV could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation in the join meeting interface. A successful exploit could allow an attacker to execute arbitrary scripts. (CVE-2019-19371)

Mitel is recommending customers with affected product versions, update to the latest release.

 

Affected Products

Security Bulletins are being issued for the following products:

Product Name Product Versions Security Bulletin Last Updated
MiCollab AWV

8.1.1.11 and earlier

8.0 SP2 FP3(8.0.2.301) and earlier
19-0007-001 2019-12-20
 

Risk Assessment

The risk for these vulnerabilities is rated as High. Refer to the product Security Bulletins for additional statements regarding risk.

 

Mitigation / Recommended Action

Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.

 

External References

N/A

 

Related CVEs / CWEs / Advisories

CVE-2019-19607

CVE-2019-19608

CVE-2019-19371

 

Revision History

Version Date Description
1.0  2019-12-20 Initial version 
Ready to talk to sales? Contact us.