Mitel Product Security Advisory 20-0015

Mitel MiCollab Multiple Security Vulnerabilities

Advisory ID: 20-0015

Publish Date: 2020-11-12

Last Updated: 2020-11-02

Revision: 1.0

 

Summary

Following multiple vulnerabilities were privately reported:

Multiple vulnerabilities have been addressed in Mitel MiCollab:

A Cross-site scripting vulnerability in the AWV component of Mitel MiCollab could allow an attacker to view system information by sending arbitrary codes, due to improper input validation. A successful exploit could allow an attacker to view system information.

Credit is given to Youssef A. Mohamed (GeneralEG) from Buguard Labs, for highlighting this issue and bringing this to our attention.


The AWV component of Mitel MiCollab could allow an attacker to gain access to a web conference due to insufficient access controls for conference codes. A successful exploit could allow an attacker to gain access to an unsecured conference. As an additional security measure, Mitel recommends to secure conferences by setting up conference passwords.

Credit is given to Vladimir Toutain of Certilience, for highlighting this issue and bringing this to our attention.


Following multiple vulnerabilities were privately reported:

The NuPoint Messenger of Mitel MiCollab could allow an attacker with escalated privileges to access user files due to insufficient access control. A successful exploit could potentially allow an attacker to gain access to sensitive information.

A Cross-site scripting vulnerability in the AWV portal of Mitel MiCollab could allow an attacker to gain access to conference information by sending arbitrary codes due to improper input validation. A successful exploit could allow an attacker to view user conference information.

The online help portal of Mitel MiCollab could allow an attacker to redirect a user to an unauthorized website by executing malicious scripts due to insufficient access control. A successful exploit could allow an attacker to do an unauthorized URL redirection to a potentially malicious website.

A Cross-site scripting vulnerability in the NuPoint Messenger Portal of Mitel MiCollab could allow an authenticated attacker to execute arbitrary scripts due to insufficient input validation. A successful exploit could allow an attacker to view and modify user data.

An SQL Injection vulnerability in the SAS portal of Mitel MiCollab could allow an attacker to access user credentials due to improper input validation. A successful exploit could allow an attacker to gain unauthorized access to sensitive information.

Mitel is recommending customers with affected product versions to update to the latest release.

 

 

Affected Products

 

 

 

Risk Assessment

The risk for this vulnerability is rated from Medium to High. Refer to the product Security Bulletins for additional statements regarding risk.

 

Mitigation / Recommended Action

Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions. 

Customers are advised to review the product Security Bulletin. For additional information, contact Product Support.

 

Related CVEs / CWEs / Advisories

CVE-2020-25606 CVE-2020-25608 CVE-2020-25609 CVE-2020-25610 CVE-2020-25611 CVE-2020-25612 CVE-2020-27340

 

Revision History

Prêt à parler aux ventes ? Contactez-nous.