MidnightBSD

Advisories for mitel

CVE-2004-0945 MEDIUM

The web management interface for Mitel 3300 Integrated Communications Platform (ICP) before 4.2.2.11 allows remote authenticated users to cause a denial of service (resource exhaustion) via a large number of active sessions, which exceeds ICP's maximum.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mitel mitel_3300_integrated_communication_platform *
CVE-2014-0160 MEDIUM

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,CWE-125,

Products Affected

Vendor Product Version
mitel micollab 7.2
broadcom symantec_messaging_gateway 10.6.1
redhat virtualization 6.0
intellian v100_firmware 1.21
redhat enterprise_linux_server 6.0
broadcom symantec_messaging_gateway 10.6.0
siemens application_processing_engine_firmware 2.0
debian debian_linux 8.0
mitel micollab 7.0
mitel micollab 7.3
intellian v100_firmware 1.20
mitel micollab 7.1
mitel mivoice 1.2.0.11
redhat gluster_storage 2.1
openssl openssl *
canonical ubuntu_linux 13.10
siemens simatic_s7-1500_firmware 1.5
opensuse opensuse 12.3
mitel micollab 6.0
redhat enterprise_linux_server_aus 6.5
redhat enterprise_linux_server_tus 6.5
ricon s9922l_firmware 16.10.3(3794)
mitel micollab 7.3.0.104
mitel mivoice 1.1.3.3
siemens cp_1543-1_firmware 1.1
intellian v100_firmware 1.24
splunk splunk *
redhat enterprise_linux_workstation 6.0
debian debian_linux 7.0
siemens elan-8.2 *
debian debian_linux 6.0
intellian v60_firmware 1.25
intellian v60_firmware 1.15
mitel mivoice 1.3.2.2
fedoraproject fedora 19
canonical ubuntu_linux 12.10
siemens wincc_open_architecture 3.12
fedoraproject fedora 20
opensuse opensuse 13.1
canonical ubuntu_linux 12.04
filezilla-project filezilla_server *
siemens simatic_s7-1500t_firmware 1.5
redhat enterprise_linux_desktop 6.0
mitel mivoice 1.4.0.102
redhat enterprise_linux_server_eus 6.5
redhat storage 2.1
mitel mivoice 1.1.2.5
CVE-2016-6562 LOW

On iOS and Android devices, the ShoreTel Mobility Client app version 9.1.3.109 fails to properly validate SSL certificates provided by HTTPS connections, which means that an attacker in the position to perform MITM attacks may be able to obtain sensitive account information such as login credentials.

CVSS 2.0

Severity: LOW

Problem Type: CWE-295,CWE-295,

Products Affected

Vendor Product Version
mitel shortel_mobility_client 9.1.3.109
CVE-2017-16250 MEDIUM

A vulnerability in Mitel ST 14.2, release GA28 and earlier, could allow an attacker to use the API function to enumerate through user-ids which could be used to identify valid user ids and associated user names.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
mitel st14.2 *
CVE-2017-16251 HIGH

A vulnerability in the conferencing component of Mitel ST 14.2, release GA28 and earlier, could allow an authenticated user to upload a malicious script to the Personal Library by a crafted POST request. Successful exploit could allow an attacker to execute arbitrary code within the context of the application.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
mitel st14.2 *
CVE-2018-12901 MEDIUM

A vulnerability in the conferencing component of Mitel ST 14.2, versions GA29 (19.49.9400.0) and earlier, could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the signin.php page. A successful exploit could allow an attacker to execute arbitrary scripts.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mitel st_firmware *
CVE-2018-15497 HIGH

The Mitel MiVoice 5330e VoIP device is affected by memory corruption flaws in the SIP/SDP packet handling functionality. An attacker can exploit this issue remotely, by sending a particular pattern of SIP/SDP packets, to cause a denial of service state in the affected devices and probably remote code execution.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
mitel mivoice_5330e_firmware *
CVE-2018-16226 MEDIUM

A vulnerability in the web admin component of Mitel MiVoice Office 400, versions R5.0 HF3 (v8839a1) and earlier, could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack, due to insufficient validation for the start.asp page. A successful exploit could allow the attacker to execute arbitrary scripts to access sensitive browser-based information.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mitel mivoice_office_400 r5.0
CVE-2018-18285 HIGH

SQL injection vulnerabilities in CMG Suite 8.4 SP2 and earlier, could allow an unauthenticated attacker to conduct an SQL injection attack due to insufficient input validation for the login interface. A successful exploit could allow an attacker to extract sensitive information from the database and execute arbitrary scripts.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
mitel cmg_suite *
mitel cmg_suite 8.4
CVE-2018-18286 HIGH

SQL injection vulnerabilities in CMG Suite 8.4 SP2 and earlier, could allow an unauthenticated attacker to conduct an SQL injection attack due to insufficient input validation for the changepwd interface. A successful exploit could allow an attacker to extract sensitive information from the database and execute arbitrary scripts.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
mitel cmg_suite *
mitel cmg_suite 8.4
CVE-2018-18819 MEDIUM

A vulnerability in the web conference chat component of MiCollab, versions 7.3 PR6 (7.3.0.601) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP2 (8.0.2.202), and MiVoice Business Express versions 7.3 PR3 (7.3.1.302) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP1 (8.0.2.202), could allow creation of unauthorized chat sessions, due to insufficient access controls. A successful exploit could allow execution of arbitrary commands.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
mitel mivoice_business_express *
mitel micollab *
CVE-2018-19275 HIGH

The BluStar component in Mitel InAttend before 2.5 SP3 and CMG before 8.4 SP3 Suite Servers has a default password, which could allow remote attackers to gain unauthorized access and execute arbitrary scripts with potential impacts to the confidentiality, integrity and availability of the system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-1188,

Products Affected

Vendor Product Version
mitel cmg_suite *
mitel inattend 2.5
mitel inattend *
mitel cmg_suite 8.4
CVE-2018-3639 LOW

Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-203,

Products Affected

Vendor Product Version
intel xeon_e7 4820_v2
intel xeon_gold 86140
intel atom_e e3845
intel atom_c c3508
intel xeon_e3_1271_v3 -
intel xeon_e5_2618l_v2 -
intel atom_x7-e3950 -
intel xeon_e5 4667_v3
intel xeon_e3_1270 -
intel xeon_e3 l3403
intel xeon_e5_2418l_v2 -
arm cortex-a 15
microsoft windows_10 -
siemens simatic_ipc847d_firmware *
intel xeon_e5_2630l_v2 -
intel xeon_silver 4114t
intel xeon_gold 86134
intel xeon_e3_1226_v3 -
intel xeon_e5_2420_v2 -
intel xeon_e7 4830_v4
intel xeon_e3 e6510
redhat virtualization_manager 4.3
intel xeon_gold 86132
intel xeon_gold 86142f
intel xeon_e7 4850
intel xeon_silver 4109t
redhat enterprise_linux_server_tus 6.6
intel xeon_e7 8860_v4
siemens simatic_ipc647d_firmware *
microsoft surface_studio -
intel atom_z z3745d
intel xeon_e3_1225_v5 -
intel xeon_e3 x3480
intel xeon_e5_2608l_v4 -
intel xeon_e5_2603_v3 -
intel atom_z z3775
intel xeon_e5_2643 -
intel xeon_e7 2890_v2
intel atom_z z3570
intel atom_z z3795
intel xeon_e7 8850
intel core_i5 45nm
intel xeon_e3_1240_v5 -
intel xeon_e3 x3450
intel xeon_gold 85115
intel atom_z z3590
intel xeon_e3_1270_v2 -
intel xeon_gold 86142m
redhat virtualization 4.0
intel xeon_e5 4669_v4
redhat openstack 8
intel xeon_e3_1240_v3 -
intel xeon_e5_2430 -
intel xeon_e5_2650_v2 -
redhat enterprise_linux_server_tus 7.7
intel xeon_e5 2660_v3
intel xeon_e5 2698_v4
intel xeon_e3_1275_v5 -
intel atom_x5-e3940 -
intel xeon_e3_1225_v3 -
intel xeon_e7 8880_v4
siemens itc2200_pro_firmware *
intel pentium_silver n5000
intel xeon_e5 4603_v2
siemens simatic_ipc847c_firmware *
siemens itc1900_firmware *
microsoft windows_10 1803
intel xeon_e5_2643_v3 -
intel xeon_e3_1505l_v5 -
intel xeon_platinum 8164
intel xeon_e3 x5570
intel xeon_e3 l5506
intel xeon_e3_1275_v3 -
intel xeon_e3 l5518_
intel atom_c c3758
intel xeon_e3_1286_v3 -
intel xeon_e3 e5506
intel xeon_e7 8830
intel xeon_e3_1240l_v3 -
redhat enterprise_linux_server_aus 7.4
intel xeon_e3_1230_v2 -
intel atom_e e3827
microsoft windows_server_2008 r2
intel xeon_e3_1280_v5 -
intel xeon_e5_2438l_v3 -
intel xeon_e5_2637 -
intel xeon_e7 2880_v2
intel xeon_e3_1276_v3 -
intel xeon_e7 8893_v4
redhat enterprise_linux_desktop 7.0
intel xeon_gold 85118
siemens simatic_s7-1500_firmware *
siemens simatic_field_pg_m4_firmware *
intel xeon_e3_1230 -
siemens simatic_ipc427e_firmware *
intel xeon_e5_2630l_v3 -
intel xeon_e5_2450_v2 -
intel xeon_e7 8867_v3
intel xeon_gold 86148
siemens simatic_ipc677d_firmware *
intel xeon_e5 2698_v3
intel atom_z z3775d
intel xeon_e7 8837
intel xeon_e3_1265l_v3 -
intel xeon_platinum 8158
intel xeon_e7 4820
intel xeon_e5 2687w_v3
intel xeon_e5 4607_v2
intel xeon_e3_1285_v4 -
intel xeon_e5_1428l_v2 -
intel xeon_silver 4108
intel xeon_gold 86130
intel xeon_e3_1270_v3 -
intel xeon_e3 7500
microsoft windows_8.1 -
redhat openstack 9
intel xeon_e5_1428l -
intel xeon_e5_2450l -
intel xeon_e7 4870_v2
intel xeon_e3_1240 -
intel xeon_e5_2628l_v3 -
intel atom_e e3815
sonicwall global_management_system -
intel xeon_e5 4650_v2
intel xeon_e7 4807
siemens sinumerik_pcu_50.5_firmware *
intel xeon_platinum 8160
intel xeon_e5_2630_v2 -
intel atom_z z3736f
siemens simatic_ipc427d_firmware *
intel xeon_e5_2648l_v2 -
intel xeon_e5_2640_v3 -
intel xeon_e3 w5590
intel xeon_e5_2420 -
intel xeon_e5 4650
intel xeon_e7 2850
intel xeon_e3_1260l -
intel xeon_gold 85120
intel xeon_e5_2643_v2 -
intel xeon_e7 4850_v2
intel xeon_e7 8894_v4
microsoft surface_pro_with_lte_advanced 1807
intel xeon_e3_12201_v2 -
intel xeon_e3_1268l_v5 -
intel xeon_e5_2608l_v3 -
intel xeon_e5_2428l_v3 -
intel xeon_e7 2870_v2
intel xeon_e3 1558l_v5
intel xeon_e3_1270_v6 -
intel xeon_e5_2620 -
intel xeon_e5_2630 -
intel xeon_e5 4650_v4
intel xeon_e5_2628l_v4 -
intel xeon_e3 x3460
intel xeon_gold 86140m
sonicwall cloud_global_management_system -
intel xeon_e5 2680_v3
intel xeon_e5_2403 -
intel xeon_e5_2430l_v2 -
intel xeon_e3 e5503
siemens simatic_ipc3000_smart_firmware *
intel xeon_e5_2470 -
intel atom_z z2760
intel xeon_e5_1630_v4 -
intel xeon_e7 4820_v3
intel xeon_e5 4617
intel xeon_e5 2658a_v3
sonicwall email_security -
intel xeon_e5 4669_v3
intel xeon_e3 3600
siemens simatic_ipc647c_firmware *
intel xeon_e5_2643_v4 -
intel xeon_e3_1285_v6 -
intel xeon_e5_2650l_v3 -
microsoft surface_pro 3
intel xeon_e3_1245_v5 -
intel xeon_e3_1275_v2 -
intel xeon_platinum 8160t
microsoft windows_server_2012 -
mitel mivoice_border_gateway -
intel core_i3 45nm
intel atom_c c3338
intel xeon_e3_1265l_v4 -
intel xeon_e5_2620_v2 -
intel xeon_e5_2440_v2 -
arm cortex-a 72
intel xeon_e5_2428l_v2 -
intel xeon_e7 8870_v4
intel atom_z z3530
intel xeon_e5 2699a_v4
intel atom_z z3480
canonical ubuntu_linux 14.04
intel xeon_e5_2637_v3 -
intel xeon_gold 86138
intel xeon_e5 2650l_v4
intel xeon_e5 4657l_v2
intel xeon_e5_1650_v4 -
intel xeon_silver 4116t
intel atom_c c3830
intel xeon_e5 2665
redhat enterprise_linux_eus 7.3
intel xeon_e3_1245_v3 -
intel xeon_e7 8890_v4
canonical ubuntu_linux 18.04
siemens simatic_ipc677c_firmware *
intel xeon_e7 2850_v2
oracle solaris 11
intel xeon_e3_1235 -
siemens simatic_field_pg_m5_firmware *
intel xeon_e5 2699_v3
intel xeon_e5 4640
intel xeon_e7 8890_v2
intel xeon_platinum 8176f
sonicwall web_application_firewall -
intel xeon_e3 1585_v5
intel xeon_e5 4628l_v4
intel celeron_j j4005
intel atom_z z2420
intel xeon_e7 8870
intel xeon_e3 e5520
redhat openstack 12
intel xeon_e5_2450l_v2 -
intel xeon_e5 4660_v4
intel xeon_e5 2667_v4
intel xeon_e5 4650_v3
intel xeon_e5_2603_v2 -
intel xeon_e7 8893_v3
intel xeon_e7 8880l_v2
intel xeon_e5_2620_v4 -
intel xeon_gold 86148f
intel xeon_gold 86136
intel xeon_gold 85119t
arm cortex-a 57
microsoft windows_server_2016 -
intel xeon_e3_1285l_v4 -
intel xeon_e5_1428l_v3 -
mitel micloud_management_portal *
intel xeon_platinum 8180
sonicwall sonicosv -
intel xeon_e5 4610_v3
intel xeon_e5_1650_v3 -
intel xeon_e5_2623_v4 -
intel xeon_e7 4830_v2
intel xeon_e7 8857_v2
intel xeon_e5 4627_v4
intel pentium_silver j5005
intel xeon_gold 86150
intel pentium_j j4205
intel xeon_e5 2667_v2
intel xeon_e5_2648l_v3 -
canonical ubuntu_linux 12.04
intel pentium n4200
intel atom_c c3538
intel xeon_e5 4620
intel xeon_e3 1575m_v5
microsoft windows_10 1607
microsoft windows_10 1709
intel xeon_e5 4667_v4
intel xeon_e3_1260l_v5 -
intel xeon_e5 2697_v3
intel xeon_e3 125c_
microsoft windows_10 1703
intel atom_z z3580
redhat enterprise_linux_eus 7.6
intel xeon_e5 2680_v2
intel core_m 32nm
intel atom_c c3558
intel xeon_e3_1258l_v4 -
intel atom_z z3735d
intel atom_e e3826
intel xeon_e7 8880_v2
redhat enterprise_linux_server_aus 6.5
intel xeon_e7 8860_v3
intel atom_z z3785
intel xeon_gold 85120t
redhat enterprise_linux_workstation 6.0
intel atom_z z2520
intel celeron_j j4105
intel xeon_e7 8860
intel xeon_e7 8870_v2
intel xeon_e5_1620_v2 -
intel xeon_e7 4850_v3
intel xeon_e5 4655_v4
siemens simatic_ipc477e_firmware *
intel xeon_e5_2407 -
intel xeon_e7 8891_v2
siemens simatic_ipc547e_firmware *
microsoft windows_server_2012 r2
intel xeon_e3_1246_v3 -
siemens ruggedcom_ape_firmware -
intel xeon_e3_1290 -
intel xeon_e5_2650_v4 -
intel core_m 45nm
intel xeon_e5_2623_v3 -
intel xeon_gold 86152
intel atom_z z3460
redhat enterprise_linux_server 6.0
intel xeon_e3_1280 -
intel xeon_e3_1230_v3 -
intel xeon_e5_2408l_v3 -
intel xeon_e3_1245_v6 -
intel xeon_e5_2407_v2 -
redhat openstack 10
microsoft windows_server_2016 1803
microsoft windows_10 1809
intel atom_c c3950
intel xeon_e5_2403_v2 -
intel xeon_e7 4809_v3
intel xeon_e5 4610
intel atom_z z3745
microsoft surface -
microsoft windows_server_2008 sp2
intel xeon_e3 1535m_v6
intel xeon_e5 2695_v3
intel xeon_platinum 8160m
siemens simatic_itp1000_firmware *
intel xeon_e5 2658_v3
intel xeon_e3 1275_
intel atom_c c3850
siemens simatic_ipc547g_firmware *
intel xeon_e5_2630l_v4 -
intel celeron_n n3450
intel xeon_e3_1240_v2 -
intel pentium n4000
intel xeon_gold 85122
siemens simatic_ipc627c_firmware *
intel xeon_e7 8890_v3
sonicwall secure_mobile_access -
redhat enterprise_linux_eus 7.7
intel atom_z z3735f
intel xeon_e3_1230l_v3 -
intel xeon_e3_1275_v6 -
redhat openstack 7.0
intel xeon_e7 8891_v3
intel xeon_e7 8870_v3
debian debian_linux 8.0
intel xeon_e5 2660
intel xeon_e5 4640_v3
intel xeon_e5_2630l -
intel xeon_e3 e6540
intel xeon_e5_1660 -
intel xeon_e5_2470_v2 -
intel xeon_e5_1680_v4 -
intel xeon_e5_2630_v3 -
intel xeon_e3_1290_v2 -
intel xeon_gold 5115
siemens simatic_ipc477c_firmware -
redhat enterprise_linux_eus 6.7
schneider-electric struxureware_data_center_expert *
intel xeon_e7 4860_v2
intel atom_z z3736g
intel xeon_platinum 8170m
intel atom_z z3740d
intel xeon_e5_2640_v2 -
intel xeon_e3 1220_
intel xeon_e3 e6550
intel xeon_e5_2609_v3 -
mitel micollab -
intel xeon_e5_1660_v3 -
canonical ubuntu_linux 17.10
intel xeon_e5_1660_v4 -
intel xeon_e3_1125c_v2 -
intel xeon_e3_1231_v3 -
intel xeon_e7 4850_v4
microsoft windows_server_2016 1709
intel xeon_e5 2667_v3
intel xeon_e5_2628l_v2 -
siemens simatic_ipc427c_firmware -
intel xeon_e5_2640_v4 -
intel xeon_gold 86130f
siemens simatic_ipc477e_pro_firmware *
intel xeon_e7 2820
intel xeon_e3 1585l_v5
intel xeon_e5 2697_v2
mitel open_integration_gateway -
microsoft surface_pro 4
intel xeon_e5 2697_v4
intel atom_z z3735e
intel xeon_e3 x5560
intel xeon_e3_1240l_v5 -
intel xeon_e3_1280_v2 -
intel xeon_e7 2870
redhat enterprise_linux_server_aus 7.2
intel xeon_e5 2690_v3
intel atom_z z3735g
intel xeon_e5_1620_v3 -
intel xeon_e5 4620_v4
intel xeon_e3 x3430
intel xeon_e3_1220_v3 -
intel xeon_e5 2658_v4
intel xeon_e5 2695_v4
intel xeon_e5_2450 -
intel xeon_e7 4830_v3
intel xeon_platinum 8176m
siemens sinumerik_840_d_sl_firmware -
nvidia jetson_tx1 *
intel xeon_e3_1275l_v3 -
intel xeon_e3_1265l_v2 -
redhat enterprise_linux_server_tus 7.3
intel xeon_e5 4603
intel xeon_platinum 8168
intel atom_e e3825
intel xeon_e5_1620_v4 -
siemens simatic_ipc827c_firmware *
intel xeon_e5 2687w
intel xeon_e3_1501m_v6 -
redhat enterprise_linux_server_aus 6.6
intel xeon_e5 2683_v3
intel xeon_e5_1650 -
siemens simatic_ipc347e_firmware *
intel xeon_e5 2697a_v4
intel xeon_e5_2650 -
redhat enterprise_linux_eus 7.5
intel xeon_e5_2650l_v2 -
intel atom_z z2460
intel xeon_e3_1245_v2 -
intel xeon_gold 86130t
intel xeon_e5 2690
intel xeon_platinum 8160f
intel xeon_e3_1245 -
intel xeon_e5_2603 -
intel xeon_e7 4830
intel xeon_e5 4650l
intel xeon_e7 4870
intel core_i7 45nm
intel xeon_e5_2448l -
redhat enterprise_linux_server_aus 5.9
intel xeon_e5 4640_v2
intel xeon_e3_1225_v6 -
intel xeon_e5 2695_v2
intel xeon_e5 2670_v2
intel atom_c c3858
intel xeon_gold 86134m
intel xeon_e3 1545m_v5
intel xeon_e3 l3426
intel xeon_silver 4114
intel xeon_e5_2428l -
intel atom_z z3770d
intel xeon_e5_2640 -
intel xeon_silver 4110
intel xeon_e5 4627_v3
intel xeon_e3_1268l_v3 -
intel xeon_e7 4809_v2
intel xeon_e3 l3406
intel atom_c c3955
intel xeon_e5_2648l_v4 -
intel xeon_e5 2680_v4
intel core_i5 32nm
redhat enterprise_linux_eus 7.4
intel xeon_e5 4640_v4
intel atom_z z2560
intel xeon_e7 4809_v4
intel xeon_e7 8850_v2
redhat enterprise_linux_server_tus 7.6
intel xeon_e5 2658
intel xeon_e3_1241_v3 -
intel xeon_e3_1286l_v3 -
intel xeon_e5_2430_v2 -
siemens itc2200_firmware *
intel xeon_e3 x3470
intel xeon_e5 2699_v4
mitel mivoice_connect -
redhat enterprise_linux_server_tus 7.4
canonical ubuntu_linux 16.04
intel xeon_e5_2418l_v3 -
microsoft surface_book -
redhat enterprise_linux_desktop 6.0
intel xeon_e5 4624l_v2
redhat mrg_realtime 2.0
intel core_i7 32nm
intel xeon_e3 l5530
intel xeon_silver 4116
intel xeon_gold 86144
intel xeon_e7 8893_v2
intel atom_c c2308
intel xeon_e5 4607
intel xeon_e5 2683_v4
intel xeon_e5 2690_v4
redhat enterprise_linux_server_aus 7.7
intel xeon_e3 1535m_v5
intel xeon_e5_1630_v3 -
redhat enterprise_linux_server_tus 7.2
intel xeon_e3 1565l_v5
microsoft surface_book 2
intel xeon_e5_2630_v4 -
intel xeon_gold 86128
intel xeon_e5 2667
intel xeon_e7 8880l_v3
intel xeon_e3 5600
intel celeron_j j3455
siemens simatic_ipc627d_firmware *
intel xeon_e3_1220_v6 -
intel xeon_e5 2687w_v2
intel xeon_e5_1660_v2 -
siemens sinema_remote_connect_firmware -
intel atom_z z2480
intel xeon_e5 2699r_v4
intel xeon_e3_1505l_v6 -
intel xeon_e5 2670_v3
intel xeon_e3_1505m_v5 -
microsoft windows_7 -
intel xeon_platinum 8176
intel xeon_e5 2687w_v4
siemens sinumerik_tcu_30.3_firmware -
intel atom_c c3750
intel xeon_e5_2637_v2 -
microsoft surface_pro 1796
intel xeon_gold 86126f
redhat enterprise_linux_workstation 7.0
intel xeon_e3_1225 -
intel xeon_e5_2430l -
intel xeon_e7 2830
redhat openstack 13
redhat virtualization_manager 4.2
intel xeon_platinum 8170
intel xeon_e7 4860
intel xeon_platinum 8156
intel xeon_e3_1278l_v4 -
intel xeon_e-1105c -
intel xeon_e5 4610_v4
intel xeon_e7 2803
siemens simatic_ipc827d_firmware *
intel xeon_e5 4648_v3
redhat enterprise_linux_server 7.0
intel xeon_e3_1225_v2 -
intel xeon_e3_1281_v3 -
intel xeon_e3_1285l_v3 -
intel atom_z z3740
intel xeon_e3_1220_v2 -
intel xeon_e5 4620_v2
intel xeon_e5 2660_v4
intel xeon_e3 l5520
intel atom_z z2580
intel xeon_e5 2670
intel xeon_e3_1240_v6 -
intel xeon_e5 2680
debian debian_linux 9.0
intel xeon_e7 4890_v2
mitel mivoice_5000 -
intel xeon_e7 2860
nvidia jetson_tx2 *
mitel mivoic_mx-one -
intel xeon_gold 86126t
siemens simotion_p320-4e_firmware *
intel xeon_e5_2609_v2 -
intel xeon_e3_1105c_v2 -
intel xeon_e3_1285_v3 -
intel xeon_e3 x5550
intel xeon_e3 e5530
intel xeon_e5_1650_v2 -
intel xeon_e5_2637_v4 -
intel xeon_e5_2618l_v4 -
intel xeon_e3 l5508_
intel xeon_platinum 8153
intel xeon_e5_2603_v4 -
intel xeon_e5 4627_v2
intel xeon_e3 e5540
intel xeon_e5_2448l_v2 -
intel xeon_e5 2690_v2
siemens simatic_et_200_sp_firmware *
intel atom_x5-e3930 -
intel xeon_e5_2609 -
intel xeon_e7 8867l
intel atom_c c3708
intel atom_c c3958
intel xeon_e5 4610_v2
intel xeon_e7 8880_v3
intel xeon_e5 4660_v3
intel xeon_e5 2660_v2
intel xeon_e3_1230_v6 -
redhat enterprise_linux_server_aus 7.3
intel xeon_e5_1620 -
oracle local_service_management_system *
intel atom_c c3808
siemens itc1500_pro_firmware *
intel xeon_e3_1280_v3 -
intel xeon_gold 86154
intel atom_e e3805
intel xeon_gold 86138t
intel xeon_e3_1280_v6 -
intel atom_z z3560
intel xeon_e5_2650l -
intel xeon_e3 x3440
intel xeon_gold 86142
intel xeon_e3_12201 -
intel xeon_e3 1505m_v6
intel xeon_e3 1515m_v5
siemens itc1500_firmware *
redhat enterprise_linux_server_aus 6.4
intel core_i3 32nm
intel xeon_e3_1220_v5 -
intel xeon_e5 4620_v3
intel xeon_e5_2620_v3 -
intel xeon_e7 8867_v4
siemens itc1900_pro_firmware *
siemens simatic_ipc477d_firmware *
intel xeon_e3_1230_v5 -
intel xeon_e7 4820_v4
intel xeon_e3_1501l_v6 -
intel xeon_e5_1680_v3 -
intel pentium n4100
intel xeon_e3_1220l_v3 -
intel xeon_gold 86138f
intel xeon_e3 e5504
intel xeon_e3 w5580
intel xeon_e3_1235l_v5 -
intel xeon_e5 2658_v2
intel xeon_e7 4880_v2
intel xeon_e5 4655_v3
intel atom_z z3770
mitel mivoice_business -
intel xeon_e5_2650_v3 -
intel xeon_e5_2440 -
intel xeon_e7 8891_v4
intel atom_c c3308
intel xeon_e5_2418l -
intel xeon_e5_2618l_v3 -
intel xeon_e3 e5502
intel xeon_e3 e5507
intel xeon_e5_2609_v4 -
intel xeon_e5_2648l -
intel xeon_gold 86146
intel xeon_e3_1270_v5 -
intel xeon_gold 86126
intel xeon_e3 1578l_v5
intel xeon_silver 4112
CVE-2018-5779 HIGH

A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to copy a malicious script into a newly generated PHP file and then execute the generated file using specially crafted requests. Successful exploit could allow an attacker to execute arbitrary code within the context of the application.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
mitel connect_onsite *
mitel st14.2 *
CVE-2018-5780 HIGH

A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to inject PHP code using specially crafted requests to the vnewmeeting.php page. Successful exploit could allow an attacker to execute arbitrary PHP code within the context of the application.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
mitel connect_onsite *
mitel st14.2 *
CVE-2018-5781 HIGH

A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to inject PHP code using specially crafted requests to the vendrecording.php page. Successful exploit could allow an attacker to execute arbitrary PHP code within the context of the application.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
mitel connect_onsite *
mitel st14.2 *
CVE-2018-5782 HIGH

A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to inject PHP code using specially crafted requests to the vsethost.php page. Successful exploit could allow an attacker to execute arbitrary PHP code within the context of the application.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
mitel connect_onsite *
mitel st14.2 *
CVE-2018-9101 MEDIUM

A vulnerability in the conferencing component of Mitel MiVoice Connect, versions R1707-PREM SP1 (21.84.5535.0) and earlier, and Mitel ST 14.2, versions GA27 (19.49.5200.0) and earlier, could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the launch_presenter.php page. A successful exploit could allow an attacker to execute arbitrary scripts.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mitel st_14.2 *
mitel mivoice_connect *
CVE-2018-9102 MEDIUM

A vulnerability in the conferencing component of Mitel MiVoice Connect, versions R1707-PREM SP1 (21.84.5535.0) and earlier, and Mitel ST 14.2, versions GA27 (19.49.5200.0) and earlier, could allow an unauthenticated attacker to conduct an SQL injection attack due to insufficient input validation for the signin interface. A successful exploit could allow an attacker to extract sensitive information from the database.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
mitel st_14.2 *
mitel mivoice_connect *
CVE-2018-9103 MEDIUM

A vulnerability in the conferencing component of Mitel MiVoice Connect, versions R1707-PREM SP1 (21.84.5535.0) and earlier, and Mitel ST 14.2, versions GA27 (19.49.5200.0) and earlier, could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the signin.php page. A successful exploit could allow an attacker to execute arbitrary scripts.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mitel st_14.2 *
mitel mivoice_connect *
CVE-2018-9104 MEDIUM

A vulnerability in the conferencing component of Mitel MiVoice Connect, versions R1707-PREM SP1 (21.84.5535.0) and earlier, and Mitel ST 14.2, versions GA27 (19.49.5200.0) and earlier, could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the api.php page. A successful exploit could allow an attacker to execute arbitrary scripts.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mitel st_14.2 *
mitel mivoice_connect *
CVE-2019-12165 HIGH

MiCollab 7.3 PR2 (7.3.0.204) and earlier, 7.2 (7.2.2.13) and earlier, and 7.1 (7.1.0.57) and earlier and MiCollab AWV 6.3 (6.3.0.103), 6.2 (6.2.2.8), 6.1 (6.1.0.28), 6.0 (6.0.0.61), and 5.0 (5.0.5.7) have a Command Execution Vulnerability. Successful exploit of this vulnerability could allow an attacker to execute arbitrary system commands.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mitel micollab_audio,_web_&_video_conferencing *
mitel micollab *
CVE-2019-18863 MEDIUM

A key length vulnerability in the implementation of the SRTP 128-bit key on Mitel 6800 and 6900 SIP series phones, versions 5.1.0.2051 SP2 and earlier, could allow an attacker to launch a man-in-the-middle attack when SRTP is used in a call. A successful exploit may allow the attacker to intercept sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-326,

Products Affected

Vendor Product Version
mitel 6863i_firmware 5.1.0.2051
mitel 6930_firmware *
mitel 6865i_firmware 5.1.0.2051
mitel 6869i_firmware *
mitel 6920_firmware 5.1.0.2051
mitel 6863i_firmware *
mitel 6873i_firmware 5.1.0.2051
mitel 6867i_firmware *
mitel 6940_firmware *
mitel 6869i_firmware 5.1.0.2051
mitel 6867i_firmware 5.1.0.2051
mitel 6930_firmware 5.1.0.2051
mitel 6920_firmware *
mitel 6940_firmware 5.1.0.2051
mitel 6865i_firmware *
mitel 6873i_firmware *
CVE-2019-19370 MEDIUM

A cross-site scripting (XSS) vulnerability in the web conferencing component of the Mitel MiCollab application before 9.0.15 for Android could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation in the file upload interface. A successful exploit could allow an attacker to execute arbitrary scripts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mitel micollab *
CVE-2019-19371 MEDIUM

A cross-site scripting (XSS) vulnerability in the web conferencing component of Mitel MiCollab AWV before 8.1.2.2 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation in the join meeting interface. A successful exploit could allow an attacker to execute arbitrary scripts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mitel micollab_audio,_web_&_video_conferencing *
CVE-2019-19607 HIGH

A SQL injection vulnerability in the web conferencing component of Mitel MiCollab AWV before 8.1.2.2 could allow an unauthenticated attack due to insufficient input validation for the session parameter. A successful exploit could allow an attacker to extract sensitive information from the database and execute arbitrary scripts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
mitel micollab_audio,_web_&_video_conferencing *
CVE-2019-19608 HIGH

A SQL injection vulnerability in in the web conferencing component of Mitel MiCollab AWV before 8.1.2.2 could allow an unauthenticated attack due to insufficient input validation for the registeredList.cgi page. A successful exploit could allow an attacker to extract sensitive information from the database and execute arbitrary scripts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
mitel micollab_audio,_web_&_video_conferencing *
CVE-2019-19891 MEDIUM

An encryption key vulnerability on Mitel SIP-DECT wireless devices 8.0 and 8.1 could allow an attacker to launch a man-in-the-middle attack. A successful exploit may allow the attacker to intercept sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
mitel sip-dect_firmware 8.1
mitel sip-dect_firmware 8.0
CVE-2019-9591 MEDIUM

A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Connect ONSITE before 19.49.1500.0 allows remote attackers to inject arbitrary web script or HTML via the brandUrl parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mitel connect_onsite *
CVE-2019-9592 MEDIUM

A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Connect ONSITE 19.45.1602.0 allows remote attackers to inject arbitrary web script or HTML via the url parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mitel connect_onsite 19.45.1602.0
CVE-2019-9593 MEDIUM

A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Connect ONSITE 18.82.2000.0 allows remote attackers to inject arbitrary web script or HTML via the page parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mitel connect_onsite 18.82.2000.0
CVE-2020-10211 HIGH

A remote code execution vulnerability in UCB component of Mitel MiVoice Connect before 19.1 SP1 could allow an unauthenticated remote attacker to execute arbitrary scripts due to insufficient validation of URL parameters. A successful exploit could allow an attacker to gain access to sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
mitel mivoice_connect_client *
mitel mivoice_connect *
CVE-2020-10377 MEDIUM

A weak encryption vulnerability in Mitel MiVoice Connect Client before 214.100.1214.0 could allow an unauthenticated attacker to gain access to user credentials. A successful exploit could allow an attacker to access the system with compromised user credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
mitel mivoice_connect_client *
mitel mivoice_connect *
CVE-2020-11797 MEDIUM

An Authentication Bypass vulnerability in the Published Area of the web conferencing component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an unauthenticated attacker to gain access to unauthorized information due to insufficient access validation. A successful exploit could allow an attacker to access sensitive shared files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mitel micollab_audio,_web_&_video_conferencing *
CVE-2020-11798 MEDIUM

A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit could allow an attacker to access sensitive information from the restricted directories.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
mitel micollab_audio,_web_&_video_conferencing *
CVE-2020-12456 MEDIUM

A remote code execution vulnerability in Mitel MiVoice Connect Client before 214.100.1223.0 could allow an attacker to execute arbitrary code in the chat notification window, due to improper rendering of chat messages. A successful exploit could allow an attacker to steal session cookies, perform directory traversal, and execute arbitrary scripts in the context of the Connect client.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
mitel mivoice_connect_client *
mitel mivoice_connect *
CVE-2020-12679 MEDIUM

A reflected cross-site scripting (XSS) vulnerability in the Mitel ShoreTel Conference Web Application 19.50.1000.0 before MiVoice Connect 18.7 SP2 allows remote attackers to inject arbitrary JavaScript and HTML via the PATH_INFO to home.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mitel mivoice_connect *
mitel shoretel_conference_web 19.50.1000.0
CVE-2020-13617 MEDIUM

The Web UI component of Mitel MiVoice 6800 and 6900 series SIP Phones with firmware before 5.1.0.SP5 could allow an unauthenticated attacker to expose sensitive information due to improper memory handling during failed login attempts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-307,

Products Affected

Vendor Product Version
mitel 6863_firmware 5.1
mitel 6873_firmware 5.1
mitel 6970_firmware *
mitel 6930_firmware *
mitel 6863_firmware *
mitel 6867_firmware 5.1
mitel 6905_firmware *
mitel 6867_firmware *
mitel 6930_firmware 5.1
mitel 6920_firmware 5.1
mitel 6869_firmware *
mitel 6865_firmware *
mitel 6869_firmware 5.1
mitel 6940_firmware 5.1
mitel 6940_firmware *
mitel 6865_firmware 5.1
mitel 6905_firmware 5.1
mitel 6920_firmware *
mitel 6873_firmware *
mitel 6910_firmware *
mitel 6910_firmware 5.1
mitel 6970_firmware 5.1
CVE-2020-13767 MEDIUM

The Mitel MiCollab application before 9.1.332 for iOS could allow an unauthorized user to access restricted files and folders due to insufficient access control. An exploit requires a rooted iOS device, and (if successful) could allow an attacker to gain access to sensitive information,

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mitel micollab *
CVE-2020-13863 MEDIUM

The SAS portal of Mitel MiCollab before 9.1.3 could allow an attacker to access user data by performing a header injection in HTTP responses, due to the improper handling of input parameters. A successful exploit could allow an attacker to access user information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,

Products Affected

Vendor Product Version
mitel micollab *
CVE-2020-24592 MEDIUM

Mitel MiCloud Management Portal before 6.1 SP5 could allow an attacker, by sending a crafted request, to view system information due to insufficient output sanitization.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-116,

Products Affected

Vendor Product Version
mitel micloud_management_portal 6.1
mitel micloud_management_portal *
CVE-2020-24593 MEDIUM

Mitel MiCloud Management Portal before 6.1 SP5 could allow a remote attacker to conduct a SQL Injection attack and access user credentials due to improper input validation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-89,

Products Affected

Vendor Product Version
mitel micloud_management_portal 6.1
mitel micloud_management_portal *
CVE-2020-24594 MEDIUM

Mitel MiCloud Management Portal before 6.1 SP5 could allow an unauthenticated attacker to execute arbitrary scripts due to insufficient input validation, aka XSS. A successful exploit could allow an attacker to gain access to a user session.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mitel micloud_management_portal 6.1
mitel micloud_management_portal *
CVE-2020-24595 MEDIUM

Mitel MiCloud Management Portal before 6.1 SP5 could allow an attacker, by sending a crafted request, to retrieve sensitive information due to insufficient access control.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mitel micloud_management_portal 6.1
mitel micloud_management_portal *
CVE-2020-24692 LOW

The Ignite portal in Mitel MiContact Center Business before 9.3.0.0 could allow an attacker to execute arbitrary scripts due to insufficient input validation, aka XSS. A successful exploit could allow an attacker to gain access to a user session.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 1.8 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-20,CWE-79,

Products Affected

Vendor Product Version
mitel micontact_center_business *
CVE-2020-24693 LOW

The Ignite portal in Mitel MiContact Center Business before 9.3.0.0 could allow a local attacker to view system information due to insufficient output sanitization.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mitel micontact_center_business *
CVE-2020-25606 MEDIUM

The AWV component of Mitel MiCollab before 9.2 could allow an attacker to view system information by sending arbitrary code due to improper input validation, aka XSS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-79,

Products Affected

Vendor Product Version
mitel micollab *
CVE-2020-25608 MEDIUM

The SAS portal of Mitel MiCollab before 9.2 could allow an attacker to access user credentials due to improper input validation, aka SQL Injection.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-89,

Products Affected

Vendor Product Version
mitel micollab *
CVE-2020-25609 LOW

The NuPoint Messenger Portal of Mitel MiCollab before 9.2 could allow an authenticated attacker to execute arbitrary scripts due to insufficient input validation, aka XSS. A successful exploit could allow an attacker to view and modify user data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mitel micollab *
CVE-2020-25610 MEDIUM

The AWV component of Mitel MiCollab before 9.2 could allow an attacker to gain access to a web conference due to insufficient access control for conference codes.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mitel micollab *
CVE-2020-25611 MEDIUM

The AWV portal of Mitel MiCollab before 9.2 could allow an attacker to gain access to conference information by sending arbitrary code due to improper input validation, aka XSS. Successful exploitation could allow an attacker to view user conference information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,CWE-79,

Products Affected

Vendor Product Version
mitel micollab *
CVE-2020-25612 MEDIUM

The NuPoint Messenger of Mitel MiCollab before 9.2 could allow an attacker with escalated privilege to access user files due to insufficient access control. Successful exploit could potentially allow an attacker to gain access to sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mitel micollab *
CVE-2020-27154 MEDIUM

The chat window of Mitel BusinessCTI Enterprise (MBC-E) Client for Windows before 6.4.11 and 7.x before 7.0.3 could allow an attacker to gain access to user information by sending arbitrary code, due to improper input validation. A successful exploit could allow an attacker to view the user information and application data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
mitel businesscti_enterprise *
CVE-2020-27340 MEDIUM

The online help portal of Mitel MiCollab before 9.2 could allow an attacker to redirect a user to an unauthorized website by executing malicious script due to insufficient access control.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:L 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mitel micollab *
CVE-2020-27639 MEDIUM

The Bluetooth handset of Mitel MiVoice 6873i, 6930, and 6940 SIP phones with firmware before 5.1.0.SP6 could allow an unauthenticated attacker within Bluetooth range to pair a rogue Bluetooth device when a phone handset loses connection, due to an improper pairing mechanism. A successful exploit could allow an attacker to eavesdrop on conversations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mitel 6873i_sip_firmware *
mitel 6873i_sip_firmware 5.1.0
mitel 6930_sip_firmware 5.1.0
mitel 6940_sip_firmware *
mitel 6930_sip_firmware *
mitel 6940_sip_firmware 5.1.0
CVE-2020-27640 MEDIUM

The Bluetooth handset of Mitel MiVoice 6940 and 6930 MiNet phones with firmware before 1.5.3 could allow an unauthenticated attacker within Bluetooth range to pair a rogue Bluetooth device when a phone handset loses connection, due to an improper pairing mechanism. A successful exploit could allow an attacker to eavesdrop on conversations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mitel mivoice_6930_firmware *
mitel mivoice_6940_firmware *
CVE-2020-28351 MEDIUM

The conferencing component on Mitel ShoreTel 19.46.1802.0 devices could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack (via the PATH_INFO to index.php) due to insufficient validation for the time_zone object in the HOME_MEETING& page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mitel shoretel_firmware 19.46.1802.0
CVE-2020-35547 MEDIUM

A library index page in NuPoint Messenger in Mitel MiCollab before 9.2 FP1 could allow an unauthenticated attacker to gain access (view and modify) to user data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mitel micollab *
CVE-2020-9379 MEDIUM

The Software Development Kit of the MiContact Center Business with Site Based Security 8.0 through 9.0.1.0 before KB496276 allows an authenticated user to access sensitive information. A successful exploit could allow unauthorized access to user conversations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mitel micontact_center_business *
CVE-2021-26714 HIGH

The Enterprise License Manager portal in Mitel MiContact Center Enterprise before 9.4 could allow a user to access restricted files and folders due to insufficient access control. A successful exploit could allow an attacker to view and modify application data via Directory Traversal.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mitel micontact_center_enterprise *
CVE-2021-27401 MEDIUM

The Join Meeting page of Mitel MiCollab Web Client before 9.2 FP2 could allow an attacker to access (view and modify) user data by executing arbitrary code due to insufficient input validation, aka Cross-Site Scripting (XSS).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mitel micollab *
mitel micollab 9.2
CVE-2021-27402 MEDIUM

The SAS Admin portal of Mitel MiCollab before 9.2 FP2 could allow an unauthenticated attacker to access (view and modify) user data by injecting arbitrary directory paths due to improper URL validation, aka Directory Traversal.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
mitel micollab *
mitel micollab 9.2
CVE-2021-3176 MEDIUM

The chat window of the Mitel BusinessCTI Enterprise (MBC-E) Client for Windows before 6.4.15 and 7.x before 7.1.2 could allow an attacker to gain access to user information by sending certain code, due to improper input validation of http links. A successful exploit could allow an attacker to view user information and application data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.0 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 2.1 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
mitel businesscti_enterprise *
CVE-2021-32067 MEDIUM

The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to view sensitive system information through an HTTP response due to insufficient output sanitization.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-116,

Products Affected

Vendor Product Version
mitel micollab *
CVE-2021-32068 MEDIUM

The AWV and MiCollab Client Service components in Mitel MiCollab before 9.3 could allow an attacker to perform a Man-In-the-Middle attack by sending multiple session renegotiation requests, due to insufficient TLS session controls. A successful exploit could allow an attacker to modify application data and state.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-770,

Products Affected

Vendor Product Version
mitel micollab *
CVE-2021-32069 MEDIUM

The AWV component of Mitel MiCollab before 9.3 could allow an attacker to perform a Man-In-the-Middle attack due to improper TLS negotiation. A successful exploit could allow an attacker to view and modify data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
mitel micollab *
CVE-2021-32070 MEDIUM

The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to perform a clickjacking attack due to an insecure header response. A successful exploit could allow an attacker to modify the browser header and redirect users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.8 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-1021,

Products Affected

Vendor Product Version
mitel micollab *
CVE-2021-32071 HIGH

The MiCollab Client service in Mitel MiCollab before 9.3 could allow an unauthenticated user to gain system access due to improper access control. A successful exploit could allow an attacker to view and modify application data, and cause a denial of service for users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mitel micollab *
CVE-2021-32072 MEDIUM

The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to get source code information (disclosing sensitive application data) due to insufficient output sanitization. A successful exploit could allow an attacker to view source code methods.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-116,

Products Affected

Vendor Product Version
mitel micollab *
CVE-2021-3352 MEDIUM

The Software Development Kit in Mitel MiContact Center Business from 8.0.0.0 through 8.1.4.1 and 9.0.0.0 through 9.3.1.0 could allow an unauthenticated attacker to access (view and modify) user data without authorization due to improper handling of tokens.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mitel micontact_center_business *
CVE-2021-37586 MEDIUM

The PowerPlay Web component of Mitel Interaction Recording Multitenancy systems before 6.7 could allow a user (with Administrator rights) to replay a previously recorded conversation of another tenant due to insufficient validation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
mitel interaction_recording *
CVE-2022-26143 HIGH

The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic). This was exploited in the wild in February and March 2022 for the TP240PhoneHome DDoS attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-306,CWE-306,

Products Affected

Vendor Product Version
mitel micollab 9.4
mitel mivoice_business_express *
mitel micollab *
CVE-2022-29499 HIGH

The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,CWE-20,

Products Affected

Vendor Product Version
mitel mivoice_connect *
CVE-2022-29854 HIGH

A vulnerability in Mitel 6900 Series IP (MiNet) phones excluding 6970, versions 1.8 (1.8.0.12) and earlier, could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-863,

Products Affected

Vendor Product Version
mitel minet_firmware *
CVE-2022-29855 HIGH

Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mitel 6920_sip_firmware *
mitel 6873i_sip_firmware *
mitel 6865i_sip_firmware *
mitel 6910_sip_firmware *
mitel 6905_sip_firmware *
mitel 6869i_sip_firmware *
mitel 6940_sip_firmware *
mitel 6930_sip_firmware *
mitel 6867i_sip_firmware *
CVE-2022-31784 MEDIUM

A vulnerability in the management interface of MiVoice Business through 9.3 PR1 and MiVoice Business Express through 8.0 SP3 PR3 could allow an unauthenticated attacker (that has network access to the management interface) to conduct a buffer overflow attack due to insufficient validation of URL parameters. A successful exploit could allow arbitrary code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
mitel mivoice_business *
mitel mivoice_business_express *
CVE-2022-36451

A vulnerability in the MiCollab Client server component of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to conduct a Server-Side Request Forgery (SSRF) attack due to insufficient restriction of URL parameters. A successful exploit could allow an attacker to leverage connections and permissions available to the host server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
mitel micollab *
CVE-2022-36452

A vulnerability in the web conferencing component of Mitel MiCollab through 9.5.0.101 could allow an unauthenticated attacker to upload malicious files. A successful exploit could allow an attacker to execute arbitrary code within the context of the application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
mitel micollab *
CVE-2022-36453

A vulnerability in the MiCollab Client API of Mitel MiCollab 9.1.3 through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit could allow the authenticated attacker to control another extension number.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
mitel micollab *
CVE-2022-36454

A vulnerability in the MiCollab Client API of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit could allow the authenticated attacker to impersonate another user's name.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
mitel micollab *
CVE-2022-40765

A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 (22.22.6100.0) could allow an authenticated attacker with internal network access to conduct a command-injection attack, due to insufficient restriction of URL parameters.

Products Affected

Vendor Product Version
mitel mivoice_connect 19.3
mitel mivoice_connect *
CVE-2022-41223

The Director database component of MiVoice Connect through 19.3 (22.22.6100.0) could allow an authenticated attacker to conduct a code-injection attack via crafted data due to insufficient restrictions on the database data type.

Products Affected

Vendor Product Version
mitel mivoice_connect 19.3
mitel mivoice_connect *
CVE-2022-41326

The web conferencing component of Mitel MiCollab through 9.6.0.13 could allow an unauthenticated attacker to upload arbitrary scripts due to improper authorization controls. A successful exploit could allow remote code execution within the context of the application.

Products Affected

Vendor Product Version
mitel micollab *
CVE-2023-22854

The ccmweb component of Mitel MiContact Center Business server 9.2.2.0 through 9.4.1.0 could allow an unauthenticated attacker to download arbitrary files, due to insufficient restriction of URL parameters. A successful exploit could allow access to sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
mitel micontact_center_business *
CVE-2023-25597

A vulnerability in the web conferencing component of Mitel MiCollab through 9.6.2.9 could allow an unauthenticated attacker to download a shared file via a crafted request - including the exact path and filename - due to improper authentication control. A successful exploit could allow access to sensitive information.

Products Affected

Vendor Product Version
mitel micollab *
CVE-2023-25598

A vulnerability in the conferencing component of Mitel MiVoice Connect through 19.3 SP2 and 20.x, 21.x, and 22.x through 22.24.1500.0 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the home.php page. A successful exploit could allow an attacker to execute arbitrary scripts.

Products Affected

Vendor Product Version
mitel mivoice_connect *
CVE-2023-25599

A vulnerability in the conferencing component of Mitel MiVoice Connect through 19.3 SP2, 22.24.1500.0 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the test_presenter.php page. A successful exploit could allow an attacker to execute arbitrary scripts.

Products Affected

Vendor Product Version
mitel mivoice_connect 19.3
mitel mivoice_connect *
CVE-2023-31457

A vulnerability in the Headquarters server component of Mitel MiVoice Connect versions 19.3 SP2 (22.24.1500.0) and earlier could allow an unauthenticated attacker with internal network access to execute arbitrary scripts due to improper access control.

Products Affected

Vendor Product Version
mitel mivoice_connect *
CVE-2023-31458

A vulnerability in the Edge Gateway component of Mitel MiVoice Connect versions 19.3 SP2 (22.24.1500.0) and earlier could allow an unauthenticated attacker with internal network access to authenticate with administrative privileges, because initial installation does not enforce a password change. A successful exploit could allow an attacker to make arbitrary configuration changes and execute arbitrary commands.

Products Affected

Vendor Product Version
mitel mivoice_connect *
CVE-2023-31459

A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect versions 9.6.2208.101 and earlier could allow an unauthenticated attacker with internal network access to authenticate with administrative privileges, because the initial installation does not enforce a password change. A successful exploit could allow an attacker to make arbitrary configuration changes and execute arbitrary commands.

Products Affected

Vendor Product Version
mitel mivoice_connect *
CVE-2023-31460

A vulnerability in the Connect Mobility Router component of MiVoice Connect versions 9.6.2208.101 and earlier could allow an authenticated attacker with internal network access to conduct a command injection attack due to insufficient restriction on URL parameters.

Products Affected

Vendor Product Version
mitel mivoice_connect *
CVE-2023-32748

The Linux DVS server component of Mitel MiVoice Connect through 19.3 SP2 (22.24.1500.0) could allow an unauthenticated attacker with internal network access to execute arbitrary scripts due to improper access control.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
mitel mivoice_connect *
CVE-2023-39285

A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 SP3 (22.24.5800.0) could allow an unauthenticated attacker to perform a Cross Site Request Forgery (CSRF) attack due to insufficient request validation. A successful exploit could allow an attacker to provide a modified URL, potentially enabling them to modify system configuration settings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
mitel mivoice_connect *
CVE-2023-39286

A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2304.102 could allow an unauthenticated attacker to perform a Cross Site Request Forgery (CSRF) attack due to insufficient request validation. A successful exploit could allow an attacker to provide a modified URL, potentially enabling them to modify system configuration settings.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
mitel connect_mobility_router *
CVE-2023-39287

A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 SP3 (22.24.5800.0) could allow an authenticated attacker with elevated privileges and internal network access to conduct a command argument injection due to insufficient parameter sanitization. A successful exploit could allow an attacker to access network information and to generate excessive network traffic.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L 1.2 4.2

Products Affected

Vendor Product Version
mitel mivoice_connect *
CVE-2023-39288

A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2304.102 could allow an authenticated attacker with elevated privileges and internal network access to conduct a command argument injection due to insufficient parameter sanitization. A successful exploit could allow an attacker to access network information and to generate excessive network traffic.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L 1.2 4.2

Products Affected

Vendor Product Version
mitel mivoice_connect *
CVE-2023-39289

A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2208.101 could allow an unauthenticated attacker to conduct an account enumeration attack due to improper configuration. A successful exploit could allow an attacker to access system information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
mitel mivoice_connect *
CVE-2023-39290

A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through R19.3 SP3 (22.24.5800.0) could allow an authenticated attacker with elevated privileges to conduct an information disclosure attack due to improper configuration. A successful exploit could allow an attacker to view system information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
mitel mivoice_connect *
CVE-2023-39291

A vulnerability in the Connect Mobility Router component of MiVoice Connect through 9.6.2304.102 could allow an authenticated attacker with elevated privileges to conduct an information disclosure attack due to improper configuration. A successful exploit could allow an attacker to view system information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
mitel mivoice_connect *
CVE-2023-39292

A SQL Injection vulnerability has been identified in the MiVoice Office 400 SMB Controller through 1.2.5.23 which could allow a malicious actor to access sensitive information and execute arbitrary database and management operations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
mitel mivoice_office_400_smb_controller_firmware *
mitel mivoice_office_400 *
CVE-2023-39293

A Command Injection vulnerability has been identified in the MiVoice Office 400 SMB Controller through 1.2.5.23 which could allow a malicious actor to execute arbitrary commands within the context of the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
mitel mivoice_office_400_smb_controller_firmware *
mitel mivoice_office_400 *
CVE-2023-40265

An issue was discovered in Atos Unify OpenScape Xpressions WebAssistant V7 before V7R1 FR5 HF42 P911. It allows authenticated remote code execution via file upload.

Products Affected

Vendor Product Version
mitel unify_openscape_xpressions_webassistant *
CVE-2023-40266

An issue was discovered in Atos Unify OpenScape Xpressions WebAssistant V7 before V7R1 FR5 HF42 P911. It allows path traversal.

Products Affected

Vendor Product Version
mitel unify_openscape_xpressions_webassistant *
CVE-2024-28066

In Unify CP IP Phone firmware 1.10.4.3, Weak Credentials are used (a hardcoded root password).

Products Affected

Vendor Product Version
mitel 6970_firmware *
mitel openscape_cpx10_firmware *
mitel 6920w_firmware *
mitel 6905_firmware *
mitel 6930w_firmware *
mitel openscape_dect_firmware *
mitel 700d_dect_firmware *
mitel openscape_cp210_firmware *
mitel openscape_cp710_firmware *
mitel 6915_firmware *
mitel 6910_firmware *
mitel 6940w_firmware *
mitel openscape_cp110_firmware *
mitel openscape_cp410_firmware *
CVE-2024-28069

A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct an information disclosure attack due to improper configuration. A successful exploit could allow an attacker to access sensitive information and potentially conduct unauthorized actions within the vulnerable component.

Products Affected

Vendor Product Version
mitel micontact_center_business *
CVE-2024-28070

A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient input validation. A successful exploit could allow an attacker to access sensitive information and gain unauthorized access.

Products Affected

Vendor Product Version
mitel micontact_center_business *
CVE-2024-30157

A vulnerability in the Suite Applications Services component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a SQL Injection attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary database and management operations.

Products Affected

Vendor Product Version
mitel micollab *
CVE-2024-30158

A vulnerability in the web conferencing component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a SQL Injection attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary database and management operations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
mitel micollab *
CVE-2024-30159

A vulnerability in the web conferencing component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a Stored Cross-Site Scripting (XSS) attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary scripts.

Products Affected

Vendor Product Version
mitel micollab *
CVE-2024-30160

A vulnerability in the Suite Applications Services component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a Stored Cross-Site Scripting (XSS) attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary scripts.

Products Affected

Vendor Product Version
mitel micollab *
CVE-2024-35283

A vulnerability in the Ignite component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct a stored cross-site scripting (XSS) attack due to insufficient input validation.

Products Affected

Vendor Product Version
mitel micontact_center_business *
CVE-2024-35284

A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient input validation.

Products Affected

Vendor Product Version
mitel micontact_center_business *
CVE-2024-35285

A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
mitel micollab *
CVE-2024-35286

A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input. A successful exploit could allow an attacker to access sensitive information and execute arbitrary database and management operations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
mitel micollab *
CVE-2024-35287

A vulnerability in the NuPoint Messenger (NPM) component of Mitel MiCollab through version 9.8 SP1 (9.8.1.5) could allow an authenticated attacker with administrative privilege to conduct a privilege escalation attack due to the execution of a resource with unnecessary privileges. A successful exploit could allow an attacker to execute arbitrary commands with elevated privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

Products Affected

Vendor Product Version
mitel micollab *
CVE-2024-35314

A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit requires user interaction and could allow an attacker to execute arbitrary scripts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
mitel mivoice_business_solution_virtual_instance 1.0.0.25
mitel micollab *
CVE-2024-35315

A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an authenticated attacker to conduct a privilege escalation attack due to improper file validation. A successful exploit could allow an attacker to run arbitrary code with elevated privileges.

Products Affected

Vendor Product Version
mitel mivoice_business_solution_virtual_instance 1.0.0.25
mitel micollab *
CVE-2024-36446

The provisioning manager component of Mitel MiVoice MX-ONE through 7.6 SP1 could allow an authenticated attacker to conduct an authentication bypass attack due to improper access control. A successful exploit could allow an attacker to bypass the authorization schema.

Products Affected

Vendor Product Version
mitel mivoice_mx-one *
mitel mivoice_mx-one 7.6
CVE-2024-37569

An issue was discovered on Mitel 6869i through 4.5.0.41 and 5.x through 5.0.0.1018 devices. A command injection vulnerability exists in the hostname parameter taken in by the provis.html endpoint. The provis.html endpoint performs no sanitization on the hostname parameter (sent by an authenticated user), which is subsequently written to disk. During boot, the hostname parameter is executed as part of a series of shell commands. Attackers can achieve remote code execution in the root context by placing shell metacharacters in the hostname parameter.

Products Affected

Vendor Product Version
mitel 6869i_sip_firmware *
CVE-2024-37570

On Mitel 6869i 4.5.0.41 devices, the Manual Firmware Update (upgrade.html) page does not perform sanitization on the username and path parameters (sent by an authenticated user) before appending flags to the busybox ftpget command. This leads to $() command execution.

Products Affected

Vendor Product Version
mitel 6869i_sip_firmware 4.5.0.41
CVE-2024-41710

A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, through R6.4.0.HF1 (R6.4.0.136) could allow an authenticated attacker with administrative privilege to conduct an argument injection attack, due to insufficient parameter sanitization during the boot process. A successful exploit could allow an attacker to execute arbitrary commands within the context of the system.

Products Affected

Vendor Product Version
mitel 6970_firmware *
mitel 6865i_sip_firmware *
mitel 6920w_sip_firmware *
mitel 6940_sip_firmware *
mitel 6930_sip_firmware *
mitel 6915_sip_firmware *
mitel 6920_sip_firmware *
mitel 6930w_sip_firmware *
mitel 6873i_sip_firmware *
mitel 6910_sip_firmware *
mitel 6940w_sip_firmware *
mitel 6905_sip_firmware *
mitel 6869i_sip_firmware *
mitel 6867i_sip_firmware *
mitel 6863i_sip_firmware *
CVE-2024-41712

A vulnerability in the Web Conferencing Component of Mitel MiCollab through 9.8.1.5 could allow an authenticated attacker to conduct a command injection attack, due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary commands on the system within the context of the user.

Products Affected

Vendor Product Version
mitel micollab *
CVE-2024-41713

A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to insufficient input validation. A successful exploit could allow unauthorized access, enabling the attacker to view, corrupt, or delete users' data and system configurations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
mitel micollab *
CVE-2024-41714

A vulnerability in the Web Interface component of Mitel MiCollab through 9.8 SP1 (9.8.1.5) and MiVoice Business Solution Virtual Instance (MiVB SVI) through 1.0.0.27 could allow an authenticated attacker to conduct a command injection attack, due to insufficient parameter sanitization. A successful exploit could allow an attacker to execute arbitrary commands with elevated privileges within the context of the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
mitel micollab *
mitel mivoice_business_solution_virtual_instance *
CVE-2024-42514

A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.1.0.4 could allow an unauthenticated attacker to conduct an unauthorized access attack due to inadequate access control checks. A successful exploit requires user interaction and could allow an attacker to access sensitive information and send unauthorized messages during an active chat session.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

Products Affected

Vendor Product Version
mitel micontact_center_business *
CVE-2024-47189

The API Interface of the AWV (Audio, Web and Video Conferencing) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct SQL injection due to insufficient sanitization of user input. A successful exploit could allow an attacker with knowledge of specific details to access non-sensitive user provisioning information and execute arbitrary SQL database commands.

Products Affected

Vendor Product Version
mitel micollab *
CVE-2024-47223

A vulnerability in the AWV (Audio, Web and Video Conferencing) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input. A successful exploit could allow an attacker to access non-sensitive user provisioning information and execute arbitrary SQL database commands.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.4 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H 3.9 5.5

Products Affected

Vendor Product Version
mitel micollab *
CVE-2024-47224

A vulnerability in the AWV (Audio, Web and Video Conferencing) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a CRLF injection attack due to inadequate encoding of user input in URLs. A successful exploit could allow an attacker to perform a phishing attack.

Products Affected

Vendor Product Version
mitel micollab *
CVE-2024-47912

A vulnerability in the AWV (Audio, Web, and Video) Conferencing component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to perform unauthorized data-access attacks due to missing authentication mechanisms. A successful exploit could allow an attacker to access and delete sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N 3.9 4.2

Products Affected

Vendor Product Version
mitel micollab *
CVE-2024-55550

Mitel MiCollab through 9.8 SP2 could allow an authenticated attacker with administrative privilege to conduct a local file read, due to insufficient input sanitization. A successful exploit could allow the authenticated admin attacker to access resources that are constrained to the admin access level, and the disclosure is limited to non-sensitive system information. This vulnerability does not allow file modification or privilege escalation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 1.2 1.4
134c704f-9b21-4f2e-91b3-4a467353bcc0 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 0.8 3.6

Products Affected

Vendor Product Version
mitel micollab 9.8
mitel micollab *
CVE-2025-52914

A vulnerability in the Suite Applications Services component of Mitel MiCollab 10.0 through SP1 FP1 (10.0.1.101) could allow an authenticated attacker to conduct a SQL Injection attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary SQL database commands.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
134c704f-9b21-4f2e-91b3-4a467353bcc0 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
mitel micollab *
CVE-2025-67822

A vulnerability in the Provisioning Manager component of Mitel MiVoice MX-ONE 7.3 (7.3.0.0.50) through 7.8 SP1 (7.8.1.0.14) could allow an unauthenticated attacker to conduct an authentication bypass attack due to improper authentication mechanisms. A successful exploit could allow an attacker to gain unauthorized access to user or admin accounts in the system.

Products Affected

Vendor Product Version
mitel mivoice_mx-one *
mitel mivoice_mx-one 7.8
CVE-2025-67823

A vulnerability in the Multimedia Email component of Mitel MiContact Center Business through 10.2.0.10 and Mitel CX through 1.1.0.1 could allow an unauthenticated attacker to conduct a Cross-Site Scripting (XSS) attack due to insufficient input validation. A successful exploit requires user interaction where the email channel is enabled. This could allow an attacker to execute arbitrary scripts in the victim's browser or desktop client application.

Products Affected

Vendor Product Version
mitel micontact_center_business *
mitel cx *