Americas
Oceania
Advisory ID: 19-0007
First Issue Date: 2019-12-20
Last Updated: 2019-12-20
Revision: 1.0
Multiple vulnerabilities were identified in MiCollab AWV.
A SQL injection vulnerability in the web conferencing component of Mitel MiCollab AWV could allow an unauthenticated attack due to insufficient input validation for the session parameter. A successful exploit could allow an attacker to extract sensitive information from the database and execute arbitrary scripts. (CVE-2019-19607)
Credit is given to Patrick Webster from OSI Security for highlighting this issue and bringing this to our attention.
The following two vulnerabilities were privately reported to Mitel.
A SQL injection vulnerability in in the web conferencing component of Mitel MiCollab AWV could allow an unauthenticated attack due to insufficient input validation for the registeredList.cgi page. A successful exploit could allow an attacker to extract sensitive information from the database and execute arbitrary scripts. (CVE-2019-19608)
A cross-site scripting (XSS) vulnerability in the web conferencing component of Mitel MiCollab AWV could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation in the join meeting interface. A successful exploit could allow an attacker to execute arbitrary scripts. (CVE-2019-19371)
Mitel is recommending customers with affected product versions, update to the latest release.
Security Bulletins are being issued for the following products:
Product Name | Product Versions | Security Bulletin | Last Updated |
MiCollab AWV | 8.1.1.11 and earlier 8.0 SP2 FP3(8.0.2.301) and earlier |
19-0007-001 | 2019-12-20 |
The risk for these vulnerabilities is rated as High. Refer to the product Security Bulletins for additional statements regarding risk.
Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.
Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.
N/A
Version | Date | Description |
1.0 | 2019-12-20 | Initial version |