Americas
Oceania
Advisory ID: MISA-2024-0029
Publish Date: 2024-10-09
Last Updated: 2024-12-12
Revision: 4.0
A path traversal vulnerability, CVE-2024-41713, in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab could allow an unauthenticated attacker to conduct a path traversal attack due to insufficient input validation.
A successful exploit of this vulnerability could allow an attacker to gain unauthorized access, with potential impacts to the confidentiality, integrity, and availability of the system. This vulnerability is exploitable without authentication. If the vulnerability is successfully exploited, an attacker could gain unauthenticated access to provisioning information including non-sensitive user and network information and perform unauthorized administrative actions on the MiCollab Server. The vulnerability severity is rated as critical.
A path traversal vulnerability, CVE-2024-55550, in Mitel MiCollab could allow an authenticated attacker with administrative privilege to conduct a local file read within the system due to insufficient input sanitization.
A successful exploit could allow the authenticated admin attacker to access resources that are constrained to the admin access level, and the disclosure is limited to non-sensitive system information. This vulnerability does not allow file modification or privilege escalation. The exposure is substantially mitigated by applying the available remediation and the vulnerability severity is rated as low.
Mitel is recommending customers with affected product versions upgrade to the latest release.
Credit is given to Sonny Macdonald of watchTowr for highlighting the issue and bringing it to our attention.
Product Name | Version(s) Affected | Solution(s) Available |
---|---|---|
MiCollab | 9.8 SP1 FP2 (9.8.1.201) and earlier |
Upgrade to MiCollab 9.8 SP2 (9.8.2.12) or later. Alternative Solution: Mitel has provided a patch that is available for releases 6.0 and above, and is compatible with MiVB-x. See the KMS article for instructions regarding both the upgrade and the patch. |
Product Name | CVE ID | Severity | CVSS 3.1 Base Score |
---|---|---|---|
MiCollab | CVE-2024-41713 | Critical / 9.8 | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
MiCollab | CVE-2024-55550 | Low / 2.7 | AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N |
Version | Date | Description |
---|---|---|
1.0 | 2024-10-09 | Initial release |
2.0 | 2024-12-05 | Additional information provided |
3.0 | 2024-12-09 | Updated the CVE Number |
4.0 | 2024-12-12 | Updated the available solution with expanded release compatibility |