Mitel Product Security Advisory MISA-2024-0026

MiCollab SQL Injection Vulnerability in the API Interface

Advisory ID: MISA-2024-0026

Publish Date: 2024-10-09

Last Updated: 2024-10-09

Revision: 1.0

 

Summary

A SQL injection vulnerability in the API Interface of the Audio, Web and Video Conferencing (AWV) component of Mitel MiCollab could allow an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input.

A successful exploit of this vulnerability could allow an attacker to access non-sensitive user provisioning information and execute arbitrary SQL database commands with potential impacts to the integrity, and availability of the system.

This vulnerability is exploitable without authentication, however, requires a specially crafted request with knowledge of specific system and user details. If the vulnerability is successfully exploited, an attacker could get access to non-sensitive user provisioning information (such as names or email addresses) or run arbitrary SQL database queries to corrupt or remove tables, potentially rendering the MiCollab system inoperable.

The vulnerability severity is rated as high. 

Mitel is recommending customers with affected product versions update to the latest release. 

Credit is given to Patrick Webster of OSI Security for highlighting these issues and bringing these to our attention.

 

Affected Products

This security advisory provides information on the following products:
Product Name Version(s) Affected Solution(s) Available
MiCollab 9.8 SP1 FP2 (9.8.1.201) and earlier Upgrade to MiCollab 9.8 SP2 (9.8.2.12) or later.
Product statements are related only to supported product versions. Products which have reached End of Support status are not considered.

 

Vulnerability Severity

The following products have been identified as affected:
Product Name CVE ID Severity CVSS 3.1 Base Score
MiCollab CVE-2024-47189 High / 7.7 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
The vulnerability severity is rated as high.

 

Mitigations / Workarounds

Customers with affected product versions should upgrade to the highlighted solution versions or later.
The risk may be mitigated by following the instructions found in the KMS article.

 

Solution/ Recommended Action

This issue is corrected in MiCollab 9.8 SP2 (9.8.2.12). Customers are advised to upgrade to this or subsequent releases.

Please see Mitel Knowledge Base article SO8230, “MiCollab Security Update CVE-2024-47189 - SQL Injection Vulnerability in the API Interface” https://mitel.custhelp.com/app/answers/answer_view/a_id/1021021

If you do not have access to this link, please contact your Mitel Authorized Partner for support.

For further information, please contact Mitel Product Support.

 

Related CVEs / CWEs / Advisories

CVE-2024-47189

 

Revision History

Version Date Description
1.0 2024-10-09 Initial release


The information provided in this advisory is provided "as is" without warranty of any kind. The information is subject to change without notice. Mitel and its affiliates do not guarantee and accept no legal liability whatsoever arising from or connected to the accuracy, reliability, currency or completeness of the information provided. No part of this document can be reproduced or transmitted in any form or by any means - electronic or mechanical - for any purpose without written permission from Mitel Networks Corporation. 
Ready to talk to sales? Contact us.