Mitel Product Security Advisory MISA-2025-0003

MiContact Center Business Reflected Cross Site Scripting Vulnerability

Advisory ID: MISA-2025-0003

Publish Date: 2025-03-26

Last Updated: 2025-03-26

Revision: 1.0

Summary

A reflected cross-site scripting (XSS) vulnerability has been identified in the Legacy Chat component of the MiContact Center Business, which, if successfully exploited, could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient input validation.

A successful exploit of this vulnerability requires user interaction and could allow an attacker to execute arbitrary scripts that may potentially allow an attacker to obtain sensitive information and modify the current chat. The impact on confidentiality and integrity is limited.

The vulnerability severity is rated as high.

Mitel is recommending customers with affected product versions apply the fixes in the highlighted solution.

Affected Products

This security advisory provides information on the following products:

Product Name	Version(s) Affected	Solution(s) Available
MiContact Center Business	10.2.0.0 through 10.2.0.4 10.1.0.0 through 10.1.0.5 10.0.0.0 through 10.0.0.4 9.5.0.3 and earlier	Upgrade to MiContact Center Business version 10.2.0.5 or later. Mitel has also provided hotfixes KB571322, KB571372, and KB571320 that are available for releases 10.1.0.5, 10.0.0.4, and 9.5.0.3, respectively. Upgrade to one of these releases and apply the provided hotfix, or upgrade to a later release.

This issue only impacts deployments using the Legacy Chat component.
Product statements are related only to supported product versions. Products which have reached End of Support status are not considered.

Vulnerability Severity

The following products have been identified as affected:

Product Name	CVE ID	Severity	CVSS 3.1 Base Score
MiContact Center Business	CVE-2025-23092	High / 7.1	AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

The vulnerability severity is rated as high.

Mitigations / Workarounds

Customers with affected product versions should apply the fixes in the highlighted solution.
The risk may be mitigated by following the instructions found in the KMS article.
The risk may also be mitigated by turning off the Legacy Chat or converting to the CloudLink Contact Center Messenger Chat.

Solution/ Recommended Action

This issue is corrected in MiContact Center Business version 10.2.0.5. Customers are advised to upgrade to this or subsequent releases.

Mitel has also provided hotfixes KB571322, KB571372, and KB571320 that are available for releases 10.1.0.5, 10.0.0.4, and 9.5.0.3, respectively.
Upgrade to these releases and apply the provided fix or upgrade to a later release.

Please see Mitel Knowledge Base article SO8420 "MiContact Center Business, Security Update, CVE-2025-23092" https://mitel.custhelp.com/app/answers/answer_view/a_id/1021478

If you do not have access to this link, please contact your Mitel Authorized Partner for support.

For further information, please contact Mitel Product Support.

Related CVEs / CWEs / Advisories

CVE-2025-23092

Revision History

Version	Date	Description
1.0	2025-03-26	Initial release

First Name

Last Name

Email Address

Relationship to Mitel

By providing the above information, you agree that we may process your personal data in accordance with our Privacy Policy.

Do you agree to the terms and conditions of using our services?