Americas
Oceania
Advisory ID: 22-0006
Publish Date: 2022-07-27
Last Updated: 2022-08-29
Revision: 3.0
The following vulnerabilities were privately reported to Mitel.
A vulnerability has been identified in the web conferencing component of MiCollab which could allow upload of malicious files. A successful exploit could allow an attacker to execute arbitrary code within the context of the application.
A vulnerability has been identified in the MiCollab Client server component of MiCollab which could allow a Server-Side Request Forgery attack. A successful exploit could allow an attacker to leverage connections and permissions available to the host server.
Credit is given to Shaquin Trifonoff of Lateral Security for highlighting these two issues and bringing to our attention.
A vulnerability has been identified in the MiCollab Client API component of MiCollab which could allow an authenticated attacker to control another extension number or allow an authenticated attacker to impersonate another user's name.
Mitel is recommending customers with affected product versions apply the available remediation.
Product Name | Product Version | Security Bulletin | Last Updated |
---|---|---|---|
MiCollab | 9.5.0.101 and earlier |
22-0006-001 22-0006-002 22-0006-003 |
2022-08-29 2022-08-08 2022-08-08 |
Note: MiVoice Business Express included earlier versions of MiCollab and is also affected.
The risks for these vulnerabilities are rated from Medium to Critical. Refer to the product Security Bulletin for additional statements regarding risk.
Mitel has issued a new release of MiCollab, and mitigations for earlier releases. Customers are advised to update to the latest version.
Customers are advised to review the product Security Bulletins. For additional information, contact Mitel Product Support.
Version | Date | Description |
---|---|---|
1.0 | 2022-07-27 | Initial Version |
2.0 | 2022-08-08 | Updated assessment and bulletins |
3.0 | 2022-08-29 | Updated bulletins |