The web management interface for Mitel 3300 Integrated Communications Platform (ICP) before 4.2.2.11 allows remote authenticated users to cause a denial of service (resource exhaustion) via a large number of active sessions, which exceeds ICP's maximum.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mitel_3300_integrated_communication_platform | * |
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-125,CWE-125,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | 7.2 |
| broadcom | symantec_messaging_gateway | 10.6.1 |
| redhat | virtualization | 6.0 |
| intellian | v100_firmware | 1.21 |
| redhat | enterprise_linux_server | 6.0 |
| broadcom | symantec_messaging_gateway | 10.6.0 |
| siemens | application_processing_engine_firmware | 2.0 |
| debian | debian_linux | 8.0 |
| mitel | micollab | 7.0 |
| mitel | micollab | 7.3 |
| intellian | v100_firmware | 1.20 |
| mitel | micollab | 7.1 |
| mitel | mivoice | 1.2.0.11 |
| redhat | gluster_storage | 2.1 |
| openssl | openssl | * |
| canonical | ubuntu_linux | 13.10 |
| siemens | simatic_s7-1500_firmware | 1.5 |
| opensuse | opensuse | 12.3 |
| mitel | micollab | 6.0 |
| redhat | enterprise_linux_server_aus | 6.5 |
| redhat | enterprise_linux_server_tus | 6.5 |
| ricon | s9922l_firmware | 16.10.3(3794) |
| mitel | micollab | 7.3.0.104 |
| mitel | mivoice | 1.1.3.3 |
| siemens | cp_1543-1_firmware | 1.1 |
| intellian | v100_firmware | 1.24 |
| splunk | splunk | * |
| redhat | enterprise_linux_workstation | 6.0 |
| debian | debian_linux | 7.0 |
| siemens | elan-8.2 | * |
| debian | debian_linux | 6.0 |
| intellian | v60_firmware | 1.25 |
| intellian | v60_firmware | 1.15 |
| mitel | mivoice | 1.3.2.2 |
| fedoraproject | fedora | 19 |
| canonical | ubuntu_linux | 12.10 |
| siemens | wincc_open_architecture | 3.12 |
| fedoraproject | fedora | 20 |
| opensuse | opensuse | 13.1 |
| canonical | ubuntu_linux | 12.04 |
| filezilla-project | filezilla_server | * |
| siemens | simatic_s7-1500t_firmware | 1.5 |
| redhat | enterprise_linux_desktop | 6.0 |
| mitel | mivoice | 1.4.0.102 |
| redhat | enterprise_linux_server_eus | 6.5 |
| redhat | storage | 2.1 |
| mitel | mivoice | 1.1.2.5 |
On iOS and Android devices, the ShoreTel Mobility Client app version 9.1.3.109 fails to properly validate SSL certificates provided by HTTPS connections, which means that an attacker in the position to perform MITM attacks may be able to obtain sensitive account information such as login credentials.
CVSS 2.0
Severity: LOW
Problem Type: CWE-295,CWE-295,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | shortel_mobility_client | 9.1.3.109 |
A vulnerability in Mitel ST 14.2, release GA28 and earlier, could allow an attacker to use the API function to enumerate through user-ids which could be used to identify valid user ids and associated user names.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | st14.2 | * |
A vulnerability in the conferencing component of Mitel ST 14.2, release GA28 and earlier, could allow an authenticated user to upload a malicious script to the Personal Library by a crafted POST request. Successful exploit could allow an attacker to execute arbitrary code within the context of the application.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-434,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | st14.2 | * |
A vulnerability in the conferencing component of Mitel ST 14.2, versions GA29 (19.49.9400.0) and earlier, could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the signin.php page. A successful exploit could allow an attacker to execute arbitrary scripts.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | st_firmware | * |
The Mitel MiVoice 5330e VoIP device is affected by memory corruption flaws in the SIP/SDP packet handling functionality. An attacker can exploit this issue remotely, by sending a particular pattern of SIP/SDP packets, to cause a denial of service state in the affected devices and probably remote code execution.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_5330e_firmware | * |
A vulnerability in the web admin component of Mitel MiVoice Office 400, versions R5.0 HF3 (v8839a1) and earlier, could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack, due to insufficient validation for the start.asp page. A successful exploit could allow the attacker to execute arbitrary scripts to access sensitive browser-based information.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_office_400 | r5.0 |
SQL injection vulnerabilities in CMG Suite 8.4 SP2 and earlier, could allow an unauthenticated attacker to conduct an SQL injection attack due to insufficient input validation for the login interface. A successful exploit could allow an attacker to extract sensitive information from the database and execute arbitrary scripts.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | cmg_suite | * |
| mitel | cmg_suite | 8.4 |
SQL injection vulnerabilities in CMG Suite 8.4 SP2 and earlier, could allow an unauthenticated attacker to conduct an SQL injection attack due to insufficient input validation for the changepwd interface. A successful exploit could allow an attacker to extract sensitive information from the database and execute arbitrary scripts.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | cmg_suite | * |
| mitel | cmg_suite | 8.4 |
A vulnerability in the web conference chat component of MiCollab, versions 7.3 PR6 (7.3.0.601) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP2 (8.0.2.202), and MiVoice Business Express versions 7.3 PR3 (7.3.1.302) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP1 (8.0.2.202), could allow creation of unauthorized chat sessions, due to insufficient access controls. A successful exploit could allow execution of arbitrary commands.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-863,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_business_express | * |
| mitel | micollab | * |
The BluStar component in Mitel InAttend before 2.5 SP3 and CMG before 8.4 SP3 Suite Servers has a default password, which could allow remote attackers to gain unauthorized access and execute arbitrary scripts with potential impacts to the confidentiality, integrity and availability of the system.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-1188,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | cmg_suite | * |
| mitel | inattend | 2.5 |
| mitel | inattend | * |
| mitel | cmg_suite | 8.4 |
Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-203,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| intel | xeon_e7 | 4820_v2 |
| intel | xeon_gold | 86140 |
| intel | atom_e | e3845 |
| intel | atom_c | c3508 |
| intel | xeon_e3_1271_v3 | - |
| intel | xeon_e5_2618l_v2 | - |
| intel | atom_x7-e3950 | - |
| intel | xeon_e5 | 4667_v3 |
| intel | xeon_e3_1270 | - |
| intel | xeon_e3 | l3403 |
| intel | xeon_e5_2418l_v2 | - |
| arm | cortex-a | 15 |
| microsoft | windows_10 | - |
| siemens | simatic_ipc847d_firmware | * |
| intel | xeon_e5_2630l_v2 | - |
| intel | xeon_silver | 4114t |
| intel | xeon_gold | 86134 |
| intel | xeon_e3_1226_v3 | - |
| intel | xeon_e5_2420_v2 | - |
| intel | xeon_e7 | 4830_v4 |
| intel | xeon_e3 | e6510 |
| redhat | virtualization_manager | 4.3 |
| intel | xeon_gold | 86132 |
| intel | xeon_gold | 86142f |
| intel | xeon_e7 | 4850 |
| intel | xeon_silver | 4109t |
| redhat | enterprise_linux_server_tus | 6.6 |
| intel | xeon_e7 | 8860_v4 |
| siemens | simatic_ipc647d_firmware | * |
| microsoft | surface_studio | - |
| intel | atom_z | z3745d |
| intel | xeon_e3_1225_v5 | - |
| intel | xeon_e3 | x3480 |
| intel | xeon_e5_2608l_v4 | - |
| intel | xeon_e5_2603_v3 | - |
| intel | atom_z | z3775 |
| intel | xeon_e5_2643 | - |
| intel | xeon_e7 | 2890_v2 |
| intel | atom_z | z3570 |
| intel | atom_z | z3795 |
| intel | xeon_e7 | 8850 |
| intel | core_i5 | 45nm |
| intel | xeon_e3_1240_v5 | - |
| intel | xeon_e3 | x3450 |
| intel | xeon_gold | 85115 |
| intel | atom_z | z3590 |
| intel | xeon_e3_1270_v2 | - |
| intel | xeon_gold | 86142m |
| redhat | virtualization | 4.0 |
| intel | xeon_e5 | 4669_v4 |
| redhat | openstack | 8 |
| intel | xeon_e3_1240_v3 | - |
| intel | xeon_e5_2430 | - |
| intel | xeon_e5_2650_v2 | - |
| redhat | enterprise_linux_server_tus | 7.7 |
| intel | xeon_e5 | 2660_v3 |
| intel | xeon_e5 | 2698_v4 |
| intel | xeon_e3_1275_v5 | - |
| intel | atom_x5-e3940 | - |
| intel | xeon_e3_1225_v3 | - |
| intel | xeon_e7 | 8880_v4 |
| siemens | itc2200_pro_firmware | * |
| intel | pentium_silver | n5000 |
| intel | xeon_e5 | 4603_v2 |
| siemens | simatic_ipc847c_firmware | * |
| siemens | itc1900_firmware | * |
| microsoft | windows_10 | 1803 |
| intel | xeon_e5_2643_v3 | - |
| intel | xeon_e3_1505l_v5 | - |
| intel | xeon_platinum | 8164 |
| intel | xeon_e3 | x5570 |
| intel | xeon_e3 | l5506 |
| intel | xeon_e3_1275_v3 | - |
| intel | xeon_e3 | l5518_ |
| intel | atom_c | c3758 |
| intel | xeon_e3_1286_v3 | - |
| intel | xeon_e3 | e5506 |
| intel | xeon_e7 | 8830 |
| intel | xeon_e3_1240l_v3 | - |
| redhat | enterprise_linux_server_aus | 7.4 |
| intel | xeon_e3_1230_v2 | - |
| intel | atom_e | e3827 |
| microsoft | windows_server_2008 | r2 |
| intel | xeon_e3_1280_v5 | - |
| intel | xeon_e5_2438l_v3 | - |
| intel | xeon_e5_2637 | - |
| intel | xeon_e7 | 2880_v2 |
| intel | xeon_e3_1276_v3 | - |
| intel | xeon_e7 | 8893_v4 |
| redhat | enterprise_linux_desktop | 7.0 |
| intel | xeon_gold | 85118 |
| siemens | simatic_s7-1500_firmware | * |
| siemens | simatic_field_pg_m4_firmware | * |
| intel | xeon_e3_1230 | - |
| siemens | simatic_ipc427e_firmware | * |
| intel | xeon_e5_2630l_v3 | - |
| intel | xeon_e5_2450_v2 | - |
| intel | xeon_e7 | 8867_v3 |
| intel | xeon_gold | 86148 |
| siemens | simatic_ipc677d_firmware | * |
| intel | xeon_e5 | 2698_v3 |
| intel | atom_z | z3775d |
| intel | xeon_e7 | 8837 |
| intel | xeon_e3_1265l_v3 | - |
| intel | xeon_platinum | 8158 |
| intel | xeon_e7 | 4820 |
| intel | xeon_e5 | 2687w_v3 |
| intel | xeon_e5 | 4607_v2 |
| intel | xeon_e3_1285_v4 | - |
| intel | xeon_e5_1428l_v2 | - |
| intel | xeon_silver | 4108 |
| intel | xeon_gold | 86130 |
| intel | xeon_e3_1270_v3 | - |
| intel | xeon_e3 | 7500 |
| microsoft | windows_8.1 | - |
| redhat | openstack | 9 |
| intel | xeon_e5_1428l | - |
| intel | xeon_e5_2450l | - |
| intel | xeon_e7 | 4870_v2 |
| intel | xeon_e3_1240 | - |
| intel | xeon_e5_2628l_v3 | - |
| intel | atom_e | e3815 |
| sonicwall | global_management_system | - |
| intel | xeon_e5 | 4650_v2 |
| intel | xeon_e7 | 4807 |
| siemens | sinumerik_pcu_50.5_firmware | * |
| intel | xeon_platinum | 8160 |
| intel | xeon_e5_2630_v2 | - |
| intel | atom_z | z3736f |
| siemens | simatic_ipc427d_firmware | * |
| intel | xeon_e5_2648l_v2 | - |
| intel | xeon_e5_2640_v3 | - |
| intel | xeon_e3 | w5590 |
| intel | xeon_e5_2420 | - |
| intel | xeon_e5 | 4650 |
| intel | xeon_e7 | 2850 |
| intel | xeon_e3_1260l | - |
| intel | xeon_gold | 85120 |
| intel | xeon_e5_2643_v2 | - |
| intel | xeon_e7 | 4850_v2 |
| intel | xeon_e7 | 8894_v4 |
| microsoft | surface_pro_with_lte_advanced | 1807 |
| intel | xeon_e3_12201_v2 | - |
| intel | xeon_e3_1268l_v5 | - |
| intel | xeon_e5_2608l_v3 | - |
| intel | xeon_e5_2428l_v3 | - |
| intel | xeon_e7 | 2870_v2 |
| intel | xeon_e3 | 1558l_v5 |
| intel | xeon_e3_1270_v6 | - |
| intel | xeon_e5_2620 | - |
| intel | xeon_e5_2630 | - |
| intel | xeon_e5 | 4650_v4 |
| intel | xeon_e5_2628l_v4 | - |
| intel | xeon_e3 | x3460 |
| intel | xeon_gold | 86140m |
| sonicwall | cloud_global_management_system | - |
| intel | xeon_e5 | 2680_v3 |
| intel | xeon_e5_2403 | - |
| intel | xeon_e5_2430l_v2 | - |
| intel | xeon_e3 | e5503 |
| siemens | simatic_ipc3000_smart_firmware | * |
| intel | xeon_e5_2470 | - |
| intel | atom_z | z2760 |
| intel | xeon_e5_1630_v4 | - |
| intel | xeon_e7 | 4820_v3 |
| intel | xeon_e5 | 4617 |
| intel | xeon_e5 | 2658a_v3 |
| sonicwall | email_security | - |
| intel | xeon_e5 | 4669_v3 |
| intel | xeon_e3 | 3600 |
| siemens | simatic_ipc647c_firmware | * |
| intel | xeon_e5_2643_v4 | - |
| intel | xeon_e3_1285_v6 | - |
| intel | xeon_e5_2650l_v3 | - |
| microsoft | surface_pro | 3 |
| intel | xeon_e3_1245_v5 | - |
| intel | xeon_e3_1275_v2 | - |
| intel | xeon_platinum | 8160t |
| microsoft | windows_server_2012 | - |
| mitel | mivoice_border_gateway | - |
| intel | core_i3 | 45nm |
| intel | atom_c | c3338 |
| intel | xeon_e3_1265l_v4 | - |
| intel | xeon_e5_2620_v2 | - |
| intel | xeon_e5_2440_v2 | - |
| arm | cortex-a | 72 |
| intel | xeon_e5_2428l_v2 | - |
| intel | xeon_e7 | 8870_v4 |
| intel | atom_z | z3530 |
| intel | xeon_e5 | 2699a_v4 |
| intel | atom_z | z3480 |
| canonical | ubuntu_linux | 14.04 |
| intel | xeon_e5_2637_v3 | - |
| intel | xeon_gold | 86138 |
| intel | xeon_e5 | 2650l_v4 |
| intel | xeon_e5 | 4657l_v2 |
| intel | xeon_e5_1650_v4 | - |
| intel | xeon_silver | 4116t |
| intel | atom_c | c3830 |
| intel | xeon_e5 | 2665 |
| redhat | enterprise_linux_eus | 7.3 |
| intel | xeon_e3_1245_v3 | - |
| intel | xeon_e7 | 8890_v4 |
| canonical | ubuntu_linux | 18.04 |
| siemens | simatic_ipc677c_firmware | * |
| intel | xeon_e7 | 2850_v2 |
| oracle | solaris | 11 |
| intel | xeon_e3_1235 | - |
| siemens | simatic_field_pg_m5_firmware | * |
| intel | xeon_e5 | 2699_v3 |
| intel | xeon_e5 | 4640 |
| intel | xeon_e7 | 8890_v2 |
| intel | xeon_platinum | 8176f |
| sonicwall | web_application_firewall | - |
| intel | xeon_e3 | 1585_v5 |
| intel | xeon_e5 | 4628l_v4 |
| intel | celeron_j | j4005 |
| intel | atom_z | z2420 |
| intel | xeon_e7 | 8870 |
| intel | xeon_e3 | e5520 |
| redhat | openstack | 12 |
| intel | xeon_e5_2450l_v2 | - |
| intel | xeon_e5 | 4660_v4 |
| intel | xeon_e5 | 2667_v4 |
| intel | xeon_e5 | 4650_v3 |
| intel | xeon_e5_2603_v2 | - |
| intel | xeon_e7 | 8893_v3 |
| intel | xeon_e7 | 8880l_v2 |
| intel | xeon_e5_2620_v4 | - |
| intel | xeon_gold | 86148f |
| intel | xeon_gold | 86136 |
| intel | xeon_gold | 85119t |
| arm | cortex-a | 57 |
| microsoft | windows_server_2016 | - |
| intel | xeon_e3_1285l_v4 | - |
| intel | xeon_e5_1428l_v3 | - |
| mitel | micloud_management_portal | * |
| intel | xeon_platinum | 8180 |
| sonicwall | sonicosv | - |
| intel | xeon_e5 | 4610_v3 |
| intel | xeon_e5_1650_v3 | - |
| intel | xeon_e5_2623_v4 | - |
| intel | xeon_e7 | 4830_v2 |
| intel | xeon_e7 | 8857_v2 |
| intel | xeon_e5 | 4627_v4 |
| intel | pentium_silver | j5005 |
| intel | xeon_gold | 86150 |
| intel | pentium_j | j4205 |
| intel | xeon_e5 | 2667_v2 |
| intel | xeon_e5_2648l_v3 | - |
| canonical | ubuntu_linux | 12.04 |
| intel | pentium | n4200 |
| intel | atom_c | c3538 |
| intel | xeon_e5 | 4620 |
| intel | xeon_e3 | 1575m_v5 |
| microsoft | windows_10 | 1607 |
| microsoft | windows_10 | 1709 |
| intel | xeon_e5 | 4667_v4 |
| intel | xeon_e3_1260l_v5 | - |
| intel | xeon_e5 | 2697_v3 |
| intel | xeon_e3 | 125c_ |
| microsoft | windows_10 | 1703 |
| intel | atom_z | z3580 |
| redhat | enterprise_linux_eus | 7.6 |
| intel | xeon_e5 | 2680_v2 |
| intel | core_m | 32nm |
| intel | atom_c | c3558 |
| intel | xeon_e3_1258l_v4 | - |
| intel | atom_z | z3735d |
| intel | atom_e | e3826 |
| intel | xeon_e7 | 8880_v2 |
| redhat | enterprise_linux_server_aus | 6.5 |
| intel | xeon_e7 | 8860_v3 |
| intel | atom_z | z3785 |
| intel | xeon_gold | 85120t |
| redhat | enterprise_linux_workstation | 6.0 |
| intel | atom_z | z2520 |
| intel | celeron_j | j4105 |
| intel | xeon_e7 | 8860 |
| intel | xeon_e7 | 8870_v2 |
| intel | xeon_e5_1620_v2 | - |
| intel | xeon_e7 | 4850_v3 |
| intel | xeon_e5 | 4655_v4 |
| siemens | simatic_ipc477e_firmware | * |
| intel | xeon_e5_2407 | - |
| intel | xeon_e7 | 8891_v2 |
| siemens | simatic_ipc547e_firmware | * |
| microsoft | windows_server_2012 | r2 |
| intel | xeon_e3_1246_v3 | - |
| siemens | ruggedcom_ape_firmware | - |
| intel | xeon_e3_1290 | - |
| intel | xeon_e5_2650_v4 | - |
| intel | core_m | 45nm |
| intel | xeon_e5_2623_v3 | - |
| intel | xeon_gold | 86152 |
| intel | atom_z | z3460 |
| redhat | enterprise_linux_server | 6.0 |
| intel | xeon_e3_1280 | - |
| intel | xeon_e3_1230_v3 | - |
| intel | xeon_e5_2408l_v3 | - |
| intel | xeon_e3_1245_v6 | - |
| intel | xeon_e5_2407_v2 | - |
| redhat | openstack | 10 |
| microsoft | windows_server_2016 | 1803 |
| microsoft | windows_10 | 1809 |
| intel | atom_c | c3950 |
| intel | xeon_e5_2403_v2 | - |
| intel | xeon_e7 | 4809_v3 |
| intel | xeon_e5 | 4610 |
| intel | atom_z | z3745 |
| microsoft | surface | - |
| microsoft | windows_server_2008 | sp2 |
| intel | xeon_e3 | 1535m_v6 |
| intel | xeon_e5 | 2695_v3 |
| intel | xeon_platinum | 8160m |
| siemens | simatic_itp1000_firmware | * |
| intel | xeon_e5 | 2658_v3 |
| intel | xeon_e3 | 1275_ |
| intel | atom_c | c3850 |
| siemens | simatic_ipc547g_firmware | * |
| intel | xeon_e5_2630l_v4 | - |
| intel | celeron_n | n3450 |
| intel | xeon_e3_1240_v2 | - |
| intel | pentium | n4000 |
| intel | xeon_gold | 85122 |
| siemens | simatic_ipc627c_firmware | * |
| intel | xeon_e7 | 8890_v3 |
| sonicwall | secure_mobile_access | - |
| redhat | enterprise_linux_eus | 7.7 |
| intel | atom_z | z3735f |
| intel | xeon_e3_1230l_v3 | - |
| intel | xeon_e3_1275_v6 | - |
| redhat | openstack | 7.0 |
| intel | xeon_e7 | 8891_v3 |
| intel | xeon_e7 | 8870_v3 |
| debian | debian_linux | 8.0 |
| intel | xeon_e5 | 2660 |
| intel | xeon_e5 | 4640_v3 |
| intel | xeon_e5_2630l | - |
| intel | xeon_e3 | e6540 |
| intel | xeon_e5_1660 | - |
| intel | xeon_e5_2470_v2 | - |
| intel | xeon_e5_1680_v4 | - |
| intel | xeon_e5_2630_v3 | - |
| intel | xeon_e3_1290_v2 | - |
| intel | xeon_gold | 5115 |
| siemens | simatic_ipc477c_firmware | - |
| redhat | enterprise_linux_eus | 6.7 |
| schneider-electric | struxureware_data_center_expert | * |
| intel | xeon_e7 | 4860_v2 |
| intel | atom_z | z3736g |
| intel | xeon_platinum | 8170m |
| intel | atom_z | z3740d |
| intel | xeon_e5_2640_v2 | - |
| intel | xeon_e3 | 1220_ |
| intel | xeon_e3 | e6550 |
| intel | xeon_e5_2609_v3 | - |
| mitel | micollab | - |
| intel | xeon_e5_1660_v3 | - |
| canonical | ubuntu_linux | 17.10 |
| intel | xeon_e5_1660_v4 | - |
| intel | xeon_e3_1125c_v2 | - |
| intel | xeon_e3_1231_v3 | - |
| intel | xeon_e7 | 4850_v4 |
| microsoft | windows_server_2016 | 1709 |
| intel | xeon_e5 | 2667_v3 |
| intel | xeon_e5_2628l_v2 | - |
| siemens | simatic_ipc427c_firmware | - |
| intel | xeon_e5_2640_v4 | - |
| intel | xeon_gold | 86130f |
| siemens | simatic_ipc477e_pro_firmware | * |
| intel | xeon_e7 | 2820 |
| intel | xeon_e3 | 1585l_v5 |
| intel | xeon_e5 | 2697_v2 |
| mitel | open_integration_gateway | - |
| microsoft | surface_pro | 4 |
| intel | xeon_e5 | 2697_v4 |
| intel | atom_z | z3735e |
| intel | xeon_e3 | x5560 |
| intel | xeon_e3_1240l_v5 | - |
| intel | xeon_e3_1280_v2 | - |
| intel | xeon_e7 | 2870 |
| redhat | enterprise_linux_server_aus | 7.2 |
| intel | xeon_e5 | 2690_v3 |
| intel | atom_z | z3735g |
| intel | xeon_e5_1620_v3 | - |
| intel | xeon_e5 | 4620_v4 |
| intel | xeon_e3 | x3430 |
| intel | xeon_e3_1220_v3 | - |
| intel | xeon_e5 | 2658_v4 |
| intel | xeon_e5 | 2695_v4 |
| intel | xeon_e5_2450 | - |
| intel | xeon_e7 | 4830_v3 |
| intel | xeon_platinum | 8176m |
| siemens | sinumerik_840_d_sl_firmware | - |
| nvidia | jetson_tx1 | * |
| intel | xeon_e3_1275l_v3 | - |
| intel | xeon_e3_1265l_v2 | - |
| redhat | enterprise_linux_server_tus | 7.3 |
| intel | xeon_e5 | 4603 |
| intel | xeon_platinum | 8168 |
| intel | atom_e | e3825 |
| intel | xeon_e5_1620_v4 | - |
| siemens | simatic_ipc827c_firmware | * |
| intel | xeon_e5 | 2687w |
| intel | xeon_e3_1501m_v6 | - |
| redhat | enterprise_linux_server_aus | 6.6 |
| intel | xeon_e5 | 2683_v3 |
| intel | xeon_e5_1650 | - |
| siemens | simatic_ipc347e_firmware | * |
| intel | xeon_e5 | 2697a_v4 |
| intel | xeon_e5_2650 | - |
| redhat | enterprise_linux_eus | 7.5 |
| intel | xeon_e5_2650l_v2 | - |
| intel | atom_z | z2460 |
| intel | xeon_e3_1245_v2 | - |
| intel | xeon_gold | 86130t |
| intel | xeon_e5 | 2690 |
| intel | xeon_platinum | 8160f |
| intel | xeon_e3_1245 | - |
| intel | xeon_e5_2603 | - |
| intel | xeon_e7 | 4830 |
| intel | xeon_e5 | 4650l |
| intel | xeon_e7 | 4870 |
| intel | core_i7 | 45nm |
| intel | xeon_e5_2448l | - |
| redhat | enterprise_linux_server_aus | 5.9 |
| intel | xeon_e5 | 4640_v2 |
| intel | xeon_e3_1225_v6 | - |
| intel | xeon_e5 | 2695_v2 |
| intel | xeon_e5 | 2670_v2 |
| intel | atom_c | c3858 |
| intel | xeon_gold | 86134m |
| intel | xeon_e3 | 1545m_v5 |
| intel | xeon_e3 | l3426 |
| intel | xeon_silver | 4114 |
| intel | xeon_e5_2428l | - |
| intel | atom_z | z3770d |
| intel | xeon_e5_2640 | - |
| intel | xeon_silver | 4110 |
| intel | xeon_e5 | 4627_v3 |
| intel | xeon_e3_1268l_v3 | - |
| intel | xeon_e7 | 4809_v2 |
| intel | xeon_e3 | l3406 |
| intel | atom_c | c3955 |
| intel | xeon_e5_2648l_v4 | - |
| intel | xeon_e5 | 2680_v4 |
| intel | core_i5 | 32nm |
| redhat | enterprise_linux_eus | 7.4 |
| intel | xeon_e5 | 4640_v4 |
| intel | atom_z | z2560 |
| intel | xeon_e7 | 4809_v4 |
| intel | xeon_e7 | 8850_v2 |
| redhat | enterprise_linux_server_tus | 7.6 |
| intel | xeon_e5 | 2658 |
| intel | xeon_e3_1241_v3 | - |
| intel | xeon_e3_1286l_v3 | - |
| intel | xeon_e5_2430_v2 | - |
| siemens | itc2200_firmware | * |
| intel | xeon_e3 | x3470 |
| intel | xeon_e5 | 2699_v4 |
| mitel | mivoice_connect | - |
| redhat | enterprise_linux_server_tus | 7.4 |
| canonical | ubuntu_linux | 16.04 |
| intel | xeon_e5_2418l_v3 | - |
| microsoft | surface_book | - |
| redhat | enterprise_linux_desktop | 6.0 |
| intel | xeon_e5 | 4624l_v2 |
| redhat | mrg_realtime | 2.0 |
| intel | core_i7 | 32nm |
| intel | xeon_e3 | l5530 |
| intel | xeon_silver | 4116 |
| intel | xeon_gold | 86144 |
| intel | xeon_e7 | 8893_v2 |
| intel | atom_c | c2308 |
| intel | xeon_e5 | 4607 |
| intel | xeon_e5 | 2683_v4 |
| intel | xeon_e5 | 2690_v4 |
| redhat | enterprise_linux_server_aus | 7.7 |
| intel | xeon_e3 | 1535m_v5 |
| intel | xeon_e5_1630_v3 | - |
| redhat | enterprise_linux_server_tus | 7.2 |
| intel | xeon_e3 | 1565l_v5 |
| microsoft | surface_book | 2 |
| intel | xeon_e5_2630_v4 | - |
| intel | xeon_gold | 86128 |
| intel | xeon_e5 | 2667 |
| intel | xeon_e7 | 8880l_v3 |
| intel | xeon_e3 | 5600 |
| intel | celeron_j | j3455 |
| siemens | simatic_ipc627d_firmware | * |
| intel | xeon_e3_1220_v6 | - |
| intel | xeon_e5 | 2687w_v2 |
| intel | xeon_e5_1660_v2 | - |
| siemens | sinema_remote_connect_firmware | - |
| intel | atom_z | z2480 |
| intel | xeon_e5 | 2699r_v4 |
| intel | xeon_e3_1505l_v6 | - |
| intel | xeon_e5 | 2670_v3 |
| intel | xeon_e3_1505m_v5 | - |
| microsoft | windows_7 | - |
| intel | xeon_platinum | 8176 |
| intel | xeon_e5 | 2687w_v4 |
| siemens | sinumerik_tcu_30.3_firmware | - |
| intel | atom_c | c3750 |
| intel | xeon_e5_2637_v2 | - |
| microsoft | surface_pro | 1796 |
| intel | xeon_gold | 86126f |
| redhat | enterprise_linux_workstation | 7.0 |
| intel | xeon_e3_1225 | - |
| intel | xeon_e5_2430l | - |
| intel | xeon_e7 | 2830 |
| redhat | openstack | 13 |
| redhat | virtualization_manager | 4.2 |
| intel | xeon_platinum | 8170 |
| intel | xeon_e7 | 4860 |
| intel | xeon_platinum | 8156 |
| intel | xeon_e3_1278l_v4 | - |
| intel | xeon_e-1105c | - |
| intel | xeon_e5 | 4610_v4 |
| intel | xeon_e7 | 2803 |
| siemens | simatic_ipc827d_firmware | * |
| intel | xeon_e5 | 4648_v3 |
| redhat | enterprise_linux_server | 7.0 |
| intel | xeon_e3_1225_v2 | - |
| intel | xeon_e3_1281_v3 | - |
| intel | xeon_e3_1285l_v3 | - |
| intel | atom_z | z3740 |
| intel | xeon_e3_1220_v2 | - |
| intel | xeon_e5 | 4620_v2 |
| intel | xeon_e5 | 2660_v4 |
| intel | xeon_e3 | l5520 |
| intel | atom_z | z2580 |
| intel | xeon_e5 | 2670 |
| intel | xeon_e3_1240_v6 | - |
| intel | xeon_e5 | 2680 |
| debian | debian_linux | 9.0 |
| intel | xeon_e7 | 4890_v2 |
| mitel | mivoice_5000 | - |
| intel | xeon_e7 | 2860 |
| nvidia | jetson_tx2 | * |
| mitel | mivoic_mx-one | - |
| intel | xeon_gold | 86126t |
| siemens | simotion_p320-4e_firmware | * |
| intel | xeon_e5_2609_v2 | - |
| intel | xeon_e3_1105c_v2 | - |
| intel | xeon_e3_1285_v3 | - |
| intel | xeon_e3 | x5550 |
| intel | xeon_e3 | e5530 |
| intel | xeon_e5_1650_v2 | - |
| intel | xeon_e5_2637_v4 | - |
| intel | xeon_e5_2618l_v4 | - |
| intel | xeon_e3 | l5508_ |
| intel | xeon_platinum | 8153 |
| intel | xeon_e5_2603_v4 | - |
| intel | xeon_e5 | 4627_v2 |
| intel | xeon_e3 | e5540 |
| intel | xeon_e5_2448l_v2 | - |
| intel | xeon_e5 | 2690_v2 |
| siemens | simatic_et_200_sp_firmware | * |
| intel | atom_x5-e3930 | - |
| intel | xeon_e5_2609 | - |
| intel | xeon_e7 | 8867l |
| intel | atom_c | c3708 |
| intel | atom_c | c3958 |
| intel | xeon_e5 | 4610_v2 |
| intel | xeon_e7 | 8880_v3 |
| intel | xeon_e5 | 4660_v3 |
| intel | xeon_e5 | 2660_v2 |
| intel | xeon_e3_1230_v6 | - |
| redhat | enterprise_linux_server_aus | 7.3 |
| intel | xeon_e5_1620 | - |
| oracle | local_service_management_system | * |
| intel | atom_c | c3808 |
| siemens | itc1500_pro_firmware | * |
| intel | xeon_e3_1280_v3 | - |
| intel | xeon_gold | 86154 |
| intel | atom_e | e3805 |
| intel | xeon_gold | 86138t |
| intel | xeon_e3_1280_v6 | - |
| intel | atom_z | z3560 |
| intel | xeon_e5_2650l | - |
| intel | xeon_e3 | x3440 |
| intel | xeon_gold | 86142 |
| intel | xeon_e3_12201 | - |
| intel | xeon_e3 | 1505m_v6 |
| intel | xeon_e3 | 1515m_v5 |
| siemens | itc1500_firmware | * |
| redhat | enterprise_linux_server_aus | 6.4 |
| intel | core_i3 | 32nm |
| intel | xeon_e3_1220_v5 | - |
| intel | xeon_e5 | 4620_v3 |
| intel | xeon_e5_2620_v3 | - |
| intel | xeon_e7 | 8867_v4 |
| siemens | itc1900_pro_firmware | * |
| siemens | simatic_ipc477d_firmware | * |
| intel | xeon_e3_1230_v5 | - |
| intel | xeon_e7 | 4820_v4 |
| intel | xeon_e3_1501l_v6 | - |
| intel | xeon_e5_1680_v3 | - |
| intel | pentium | n4100 |
| intel | xeon_e3_1220l_v3 | - |
| intel | xeon_gold | 86138f |
| intel | xeon_e3 | e5504 |
| intel | xeon_e3 | w5580 |
| intel | xeon_e3_1235l_v5 | - |
| intel | xeon_e5 | 2658_v2 |
| intel | xeon_e7 | 4880_v2 |
| intel | xeon_e5 | 4655_v3 |
| intel | atom_z | z3770 |
| mitel | mivoice_business | - |
| intel | xeon_e5_2650_v3 | - |
| intel | xeon_e5_2440 | - |
| intel | xeon_e7 | 8891_v4 |
| intel | atom_c | c3308 |
| intel | xeon_e5_2418l | - |
| intel | xeon_e5_2618l_v3 | - |
| intel | xeon_e3 | e5502 |
| intel | xeon_e3 | e5507 |
| intel | xeon_e5_2609_v4 | - |
| intel | xeon_e5_2648l | - |
| intel | xeon_gold | 86146 |
| intel | xeon_e3_1270_v5 | - |
| intel | xeon_gold | 86126 |
| intel | xeon_e3 | 1578l_v5 |
| intel | xeon_silver | 4112 |
A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to copy a malicious script into a newly generated PHP file and then execute the generated file using specially crafted requests. Successful exploit could allow an attacker to execute arbitrary code within the context of the application.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | connect_onsite | * |
| mitel | st14.2 | * |
A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to inject PHP code using specially crafted requests to the vnewmeeting.php page. Successful exploit could allow an attacker to execute arbitrary PHP code within the context of the application.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | connect_onsite | * |
| mitel | st14.2 | * |
A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to inject PHP code using specially crafted requests to the vendrecording.php page. Successful exploit could allow an attacker to execute arbitrary PHP code within the context of the application.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | connect_onsite | * |
| mitel | st14.2 | * |
A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to inject PHP code using specially crafted requests to the vsethost.php page. Successful exploit could allow an attacker to execute arbitrary PHP code within the context of the application.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | connect_onsite | * |
| mitel | st14.2 | * |
A vulnerability in the conferencing component of Mitel MiVoice Connect, versions R1707-PREM SP1 (21.84.5535.0) and earlier, and Mitel ST 14.2, versions GA27 (19.49.5200.0) and earlier, could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the launch_presenter.php page. A successful exploit could allow an attacker to execute arbitrary scripts.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | st_14.2 | * |
| mitel | mivoice_connect | * |
A vulnerability in the conferencing component of Mitel MiVoice Connect, versions R1707-PREM SP1 (21.84.5535.0) and earlier, and Mitel ST 14.2, versions GA27 (19.49.5200.0) and earlier, could allow an unauthenticated attacker to conduct an SQL injection attack due to insufficient input validation for the signin interface. A successful exploit could allow an attacker to extract sensitive information from the database.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | st_14.2 | * |
| mitel | mivoice_connect | * |
A vulnerability in the conferencing component of Mitel MiVoice Connect, versions R1707-PREM SP1 (21.84.5535.0) and earlier, and Mitel ST 14.2, versions GA27 (19.49.5200.0) and earlier, could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the signin.php page. A successful exploit could allow an attacker to execute arbitrary scripts.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | st_14.2 | * |
| mitel | mivoice_connect | * |
A vulnerability in the conferencing component of Mitel MiVoice Connect, versions R1707-PREM SP1 (21.84.5535.0) and earlier, and Mitel ST 14.2, versions GA27 (19.49.5200.0) and earlier, could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the api.php page. A successful exploit could allow an attacker to execute arbitrary scripts.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | st_14.2 | * |
| mitel | mivoice_connect | * |
MiCollab 7.3 PR2 (7.3.0.204) and earlier, 7.2 (7.2.2.13) and earlier, and 7.1 (7.1.0.57) and earlier and MiCollab AWV 6.3 (6.3.0.103), 6.2 (6.2.2.8), 6.1 (6.1.0.28), 6.0 (6.0.0.61), and 5.0 (5.0.5.7) have a Command Execution Vulnerability. Successful exploit of this vulnerability could allow an attacker to execute arbitrary system commands.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab_audio,_web_&_video_conferencing | * |
| mitel | micollab | * |
A key length vulnerability in the implementation of the SRTP 128-bit key on Mitel 6800 and 6900 SIP series phones, versions 5.1.0.2051 SP2 and earlier, could allow an attacker to launch a man-in-the-middle attack when SRTP is used in a call. A successful exploit may allow the attacker to intercept sensitive information.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | 2.2 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-326,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | 6863i_firmware | 5.1.0.2051 |
| mitel | 6930_firmware | * |
| mitel | 6865i_firmware | 5.1.0.2051 |
| mitel | 6869i_firmware | * |
| mitel | 6920_firmware | 5.1.0.2051 |
| mitel | 6863i_firmware | * |
| mitel | 6873i_firmware | 5.1.0.2051 |
| mitel | 6867i_firmware | * |
| mitel | 6940_firmware | * |
| mitel | 6869i_firmware | 5.1.0.2051 |
| mitel | 6867i_firmware | 5.1.0.2051 |
| mitel | 6930_firmware | 5.1.0.2051 |
| mitel | 6920_firmware | * |
| mitel | 6940_firmware | 5.1.0.2051 |
| mitel | 6865i_firmware | * |
| mitel | 6873i_firmware | * |
A cross-site scripting (XSS) vulnerability in the web conferencing component of the Mitel MiCollab application before 9.0.15 for Android could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation in the file upload interface. A successful exploit could allow an attacker to execute arbitrary scripts.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
A cross-site scripting (XSS) vulnerability in the web conferencing component of Mitel MiCollab AWV before 8.1.2.2 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation in the join meeting interface. A successful exploit could allow an attacker to execute arbitrary scripts.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab_audio,_web_&_video_conferencing | * |
A SQL injection vulnerability in the web conferencing component of Mitel MiCollab AWV before 8.1.2.2 could allow an unauthenticated attack due to insufficient input validation for the session parameter. A successful exploit could allow an attacker to extract sensitive information from the database and execute arbitrary scripts.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab_audio,_web_&_video_conferencing | * |
A SQL injection vulnerability in in the web conferencing component of Mitel MiCollab AWV before 8.1.2.2 could allow an unauthenticated attack due to insufficient input validation for the registeredList.cgi page. A successful exploit could allow an attacker to extract sensitive information from the database and execute arbitrary scripts.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab_audio,_web_&_video_conferencing | * |
An encryption key vulnerability on Mitel SIP-DECT wireless devices 8.0 and 8.1 could allow an attacker to launch a man-in-the-middle attack. A successful exploit may allow the attacker to intercept sensitive information.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | 2.2 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-327,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | sip-dect_firmware | 8.1 |
| mitel | sip-dect_firmware | 8.0 |
A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Connect ONSITE before 19.49.1500.0 allows remote attackers to inject arbitrary web script or HTML via the brandUrl parameter.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | connect_onsite | * |
A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Connect ONSITE 19.45.1602.0 allows remote attackers to inject arbitrary web script or HTML via the url parameter.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | connect_onsite | 19.45.1602.0 |
A reflected Cross-site scripting (XSS) vulnerability in ShoreTel Connect ONSITE 18.82.2000.0 allows remote attackers to inject arbitrary web script or HTML via the page parameter.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | connect_onsite | 18.82.2000.0 |
A remote code execution vulnerability in UCB component of Mitel MiVoice Connect before 19.1 SP1 could allow an unauthenticated remote attacker to execute arbitrary scripts due to insufficient validation of URL parameters. A successful exploit could allow an attacker to gain access to sensitive information.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect_client | * |
| mitel | mivoice_connect | * |
A weak encryption vulnerability in Mitel MiVoice Connect Client before 214.100.1214.0 could allow an unauthenticated attacker to gain access to user credentials. A successful exploit could allow an attacker to access the system with compromised user credentials.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-327,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect_client | * |
| mitel | mivoice_connect | * |
An Authentication Bypass vulnerability in the Published Area of the web conferencing component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an unauthenticated attacker to gain access to unauthorized information due to insufficient access validation. A successful exploit could allow an attacker to access sensitive shared files.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab_audio,_web_&_video_conferencing | * |
A Directory Traversal vulnerability in the web conference component of Mitel MiCollab AWV before 8.1.2.4 and 9.x before 9.1.3 could allow an attacker to access arbitrary files from restricted directories of the server via a crafted URL, due to insufficient access validation. A successful exploit could allow an attacker to access sensitive information from the restricted directories.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab_audio,_web_&_video_conferencing | * |
A remote code execution vulnerability in Mitel MiVoice Connect Client before 214.100.1223.0 could allow an attacker to execute arbitrary code in the chat notification window, due to improper rendering of chat messages. A successful exploit could allow an attacker to steal session cookies, perform directory traversal, and execute arbitrary scripts in the context of the Connect client.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect_client | * |
| mitel | mivoice_connect | * |
A reflected cross-site scripting (XSS) vulnerability in the Mitel ShoreTel Conference Web Application 19.50.1000.0 before MiVoice Connect 18.7 SP2 allows remote attackers to inject arbitrary JavaScript and HTML via the PATH_INFO to home.php.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect | * |
| mitel | shoretel_conference_web | 19.50.1000.0 |
The Web UI component of Mitel MiVoice 6800 and 6900 series SIP Phones with firmware before 5.1.0.SP5 could allow an unauthenticated attacker to expose sensitive information due to improper memory handling during failed login attempts.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-307,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | 6863_firmware | 5.1 |
| mitel | 6873_firmware | 5.1 |
| mitel | 6970_firmware | * |
| mitel | 6930_firmware | * |
| mitel | 6863_firmware | * |
| mitel | 6867_firmware | 5.1 |
| mitel | 6905_firmware | * |
| mitel | 6867_firmware | * |
| mitel | 6930_firmware | 5.1 |
| mitel | 6920_firmware | 5.1 |
| mitel | 6869_firmware | * |
| mitel | 6865_firmware | * |
| mitel | 6869_firmware | 5.1 |
| mitel | 6940_firmware | 5.1 |
| mitel | 6940_firmware | * |
| mitel | 6865_firmware | 5.1 |
| mitel | 6905_firmware | 5.1 |
| mitel | 6920_firmware | * |
| mitel | 6873_firmware | * |
| mitel | 6910_firmware | * |
| mitel | 6910_firmware | 5.1 |
| mitel | 6970_firmware | 5.1 |
The Mitel MiCollab application before 9.1.332 for iOS could allow an unauthorized user to access restricted files and folders due to insufficient access control. An exploit requires a rooted iOS device, and (if successful) could allow an attacker to gain access to sensitive information,
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | 2.2 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
The SAS portal of Mitel MiCollab before 9.1.3 could allow an attacker to access user data by performing a header injection in HTTP responses, due to the improper handling of input parameters. A successful exploit could allow an attacker to access user information.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H | 2.8 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-74,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
Mitel MiCloud Management Portal before 6.1 SP5 could allow an attacker, by sending a crafted request, to view system information due to insufficient output sanitization.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-116,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micloud_management_portal | 6.1 |
| mitel | micloud_management_portal | * |
Mitel MiCloud Management Portal before 6.1 SP5 could allow a remote attacker to conduct a SQL Injection attack and access user credentials due to improper input validation.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micloud_management_portal | 6.1 |
| mitel | micloud_management_portal | * |
Mitel MiCloud Management Portal before 6.1 SP5 could allow an unauthenticated attacker to execute arbitrary scripts due to insufficient input validation, aka XSS. A successful exploit could allow an attacker to gain access to a user session.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.6 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H | 2.8 | 6.0 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micloud_management_portal | 6.1 |
| mitel | micloud_management_portal | * |
Mitel MiCloud Management Portal before 6.1 SP5 could allow an attacker, by sending a crafted request, to retrieve sensitive information due to insufficient access control.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micloud_management_portal | 6.1 |
| mitel | micloud_management_portal | * |
The Ignite portal in Mitel MiContact Center Business before 9.3.0.0 could allow an attacker to execute arbitrary scripts due to insufficient input validation, aka XSS. A successful exploit could allow an attacker to gain access to a user session.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.1 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N | 1.8 | 5.2 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-20,CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micontact_center_business | * |
The Ignite portal in Mitel MiContact Center Business before 9.3.0.0 could allow a local attacker to view system information due to insufficient output sanitization.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 1.8 | 1.4 |
CVSS 2.0
Severity: LOW
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micontact_center_business | * |
The AWV component of Mitel MiCollab before 9.2 could allow an attacker to view system information by sending arbitrary code due to improper input validation, aka XSS.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
The SAS portal of Mitel MiCollab before 9.2 could allow an attacker to access user credentials due to improper input validation, aka SQL Injection.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
The NuPoint Messenger Portal of Mitel MiCollab before 9.2 could allow an authenticated attacker to execute arbitrary scripts due to insufficient input validation, aka XSS. A successful exploit could allow an attacker to view and modify user data.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 2.3 | 2.7 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
The AWV component of Mitel MiCollab before 9.2 could allow an attacker to gain access to a web conference due to insufficient access control for conference codes.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
The AWV portal of Mitel MiCollab before 9.2 could allow an attacker to gain access to conference information by sending arbitrary code due to improper input validation, aka XSS. Successful exploitation could allow an attacker to view user conference information.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
The NuPoint Messenger of Mitel MiCollab before 9.2 could allow an attacker with escalated privilege to access user files due to insufficient access control. Successful exploit could potentially allow an attacker to gain access to sensitive information.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N | 1.2 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
The chat window of Mitel BusinessCTI Enterprise (MBC-E) Client for Windows before 6.4.11 and 7.x before 7.0.3 could allow an attacker to gain access to user information by sending arbitrary code, due to improper input validation. A successful exploit could allow an attacker to view the user information and application data.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | businesscti_enterprise | * |
The online help portal of Mitel MiCollab before 9.2 could allow an attacker to redirect a user to an unauthorized website by executing malicious script due to insufficient access control.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:L | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
The Bluetooth handset of Mitel MiVoice 6873i, 6930, and 6940 SIP phones with firmware before 5.1.0.SP6 could allow an unauthenticated attacker within Bluetooth range to pair a rogue Bluetooth device when a phone handset loses connection, due to an improper pairing mechanism. A successful exploit could allow an attacker to eavesdrop on conversations.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | 2.8 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | 6873i_sip_firmware | * |
| mitel | 6873i_sip_firmware | 5.1.0 |
| mitel | 6930_sip_firmware | 5.1.0 |
| mitel | 6940_sip_firmware | * |
| mitel | 6930_sip_firmware | * |
| mitel | 6940_sip_firmware | 5.1.0 |
The Bluetooth handset of Mitel MiVoice 6940 and 6930 MiNet phones with firmware before 1.5.3 could allow an unauthenticated attacker within Bluetooth range to pair a rogue Bluetooth device when a phone handset loses connection, due to an improper pairing mechanism. A successful exploit could allow an attacker to eavesdrop on conversations.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | 2.8 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_6930_firmware | * |
| mitel | mivoice_6940_firmware | * |
The conferencing component on Mitel ShoreTel 19.46.1802.0 devices could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack (via the PATH_INFO to index.php) due to insufficient validation for the time_zone object in the HOME_MEETING& page.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | shoretel_firmware | 19.46.1802.0 |
A library index page in NuPoint Messenger in Mitel MiCollab before 9.2 FP1 could allow an unauthenticated attacker to gain access (view and modify) to user data.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 3.9 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
The Software Development Kit of the MiContact Center Business with Site Based Security 8.0 through 9.0.1.0 before KB496276 allows an authenticated user to access sensitive information. A successful exploit could allow unauthorized access to user conversations.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micontact_center_business | * |
The Enterprise License Manager portal in Mitel MiContact Center Enterprise before 9.4 could allow a user to access restricted files and folders due to insufficient access control. A successful exploit could allow an attacker to view and modify application data via Directory Traversal.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micontact_center_enterprise | * |
The Join Meeting page of Mitel MiCollab Web Client before 9.2 FP2 could allow an attacker to access (view and modify) user data by executing arbitrary code due to insufficient input validation, aka Cross-Site Scripting (XSS).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
| mitel | micollab | 9.2 |
The SAS Admin portal of Mitel MiCollab before 9.2 FP2 could allow an unauthenticated attacker to access (view and modify) user data by injecting arbitrary directory paths due to improper URL validation, aka Directory Traversal.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N | 3.9 | 2.5 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
| mitel | micollab | 9.2 |
The chat window of the Mitel BusinessCTI Enterprise (MBC-E) Client for Windows before 6.4.15 and 7.x before 7.1.2 could allow an attacker to gain access to user information by sending certain code, due to improper input validation of http links. A successful exploit could allow an attacker to view user information and application data.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.0 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | businesscti_enterprise | * |
The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to view sensitive system information through an HTTP response due to insufficient output sanitization.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N | 3.9 | 2.5 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-116,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
The AWV and MiCollab Client Service components in Mitel MiCollab before 9.3 could allow an attacker to perform a Man-In-the-Middle attack by sending multiple session renegotiation requests, due to insufficient TLS session controls. A successful exploit could allow an attacker to modify application data and state.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 3.7 | LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N | 2.2 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-770,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
The AWV component of Mitel MiCollab before 9.3 could allow an attacker to perform a Man-In-the-Middle attack due to improper TLS negotiation. A successful exploit could allow an attacker to view and modify data.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N | 2.2 | 2.5 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-295,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to perform a clickjacking attack due to an insecure header response. A successful exploit could allow an attacker to modify the browser header and redirect users.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | 2.8 | 2.5 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-1021,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
The MiCollab Client service in Mitel MiCollab before 9.3 could allow an unauthenticated user to gain system access due to improper access control. A successful exploit could allow an attacker to view and modify application data, and cause a denial of service for users.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to get source code information (disclosing sensitive application data) due to insufficient output sanitization. A successful exploit could allow an attacker to view source code methods.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-116,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
The Software Development Kit in Mitel MiContact Center Business from 8.0.0.0 through 8.1.4.1 and 9.0.0.0 through 9.3.1.0 could allow an unauthenticated attacker to access (view and modify) user data without authorization due to improper handling of tokens.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 3.9 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micontact_center_business | * |
The PowerPlay Web component of Mitel Interaction Recording Multitenancy systems before 6.7 could allow a user (with Administrator rights) to replay a previously recorded conversation of another tenant due to insufficient validation.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N | 1.2 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | interaction_recording | * |
The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic). This was exploited in the wild in February and March 2022 for the TP240PhoneHome DDoS attack.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-306,CWE-306,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | 9.4 |
| mitel | mivoice_business_express | * |
| mitel | micollab | * |
The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect | * |
A vulnerability in Mitel 6900 Series IP (MiNet) phones excluding 6970, versions 1.8 (1.8.0.12) and earlier, could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.8 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 0.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-863,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | minet_firmware | * |
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.8 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 0.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | 6920_sip_firmware | * |
| mitel | 6873i_sip_firmware | * |
| mitel | 6865i_sip_firmware | * |
| mitel | 6910_sip_firmware | * |
| mitel | 6905_sip_firmware | * |
| mitel | 6869i_sip_firmware | * |
| mitel | 6940_sip_firmware | * |
| mitel | 6930_sip_firmware | * |
| mitel | 6867i_sip_firmware | * |
A vulnerability in the management interface of MiVoice Business through 9.3 PR1 and MiVoice Business Express through 8.0 SP3 PR3 could allow an unauthenticated attacker (that has network access to the management interface) to conduct a buffer overflow attack due to insufficient validation of URL parameters. A successful exploit could allow arbitrary code execution.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-120,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_business | * |
| mitel | mivoice_business_express | * |
A vulnerability in the MiCollab Client server component of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to conduct a Server-Side Request Forgery (SSRF) attack due to insufficient restriction of URL parameters. A successful exploit could allow an attacker to leverage connections and permissions available to the host server.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
A vulnerability in the web conferencing component of Mitel MiCollab through 9.5.0.101 could allow an unauthenticated attacker to upload malicious files. A successful exploit could allow an attacker to execute arbitrary code within the context of the application.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
A vulnerability in the MiCollab Client API of Mitel MiCollab 9.1.3 through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit could allow the authenticated attacker to control another extension number.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
A vulnerability in the MiCollab Client API of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit could allow the authenticated attacker to impersonate another user's name.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 (22.22.6100.0) could allow an authenticated attacker with internal network access to conduct a command-injection attack, due to insufficient restriction of URL parameters.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect | 19.3 |
| mitel | mivoice_connect | * |
The Director database component of MiVoice Connect through 19.3 (22.22.6100.0) could allow an authenticated attacker to conduct a code-injection attack via crafted data due to insufficient restrictions on the database data type.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect | 19.3 |
| mitel | mivoice_connect | * |
The web conferencing component of Mitel MiCollab through 9.6.0.13 could allow an unauthenticated attacker to upload arbitrary scripts due to improper authorization controls. A successful exploit could allow remote code execution within the context of the application.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
The ccmweb component of Mitel MiContact Center Business server 9.2.2.0 through 9.4.1.0 could allow an unauthenticated attacker to download arbitrary files, due to insufficient restriction of URL parameters. A successful exploit could allow access to sensitive information.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micontact_center_business | * |
A vulnerability in the web conferencing component of Mitel MiCollab through 9.6.2.9 could allow an unauthenticated attacker to download a shared file via a crafted request - including the exact path and filename - due to improper authentication control. A successful exploit could allow access to sensitive information.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
A vulnerability in the conferencing component of Mitel MiVoice Connect through 19.3 SP2 and 20.x, 21.x, and 22.x through 22.24.1500.0 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the home.php page. A successful exploit could allow an attacker to execute arbitrary scripts.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect | * |
A vulnerability in the conferencing component of Mitel MiVoice Connect through 19.3 SP2, 22.24.1500.0 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the test_presenter.php page. A successful exploit could allow an attacker to execute arbitrary scripts.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect | 19.3 |
| mitel | mivoice_connect | * |
A vulnerability in the Headquarters server component of Mitel MiVoice Connect versions 19.3 SP2 (22.24.1500.0) and earlier could allow an unauthenticated attacker with internal network access to execute arbitrary scripts due to improper access control.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect | * |
A vulnerability in the Edge Gateway component of Mitel MiVoice Connect versions 19.3 SP2 (22.24.1500.0) and earlier could allow an unauthenticated attacker with internal network access to authenticate with administrative privileges, because initial installation does not enforce a password change. A successful exploit could allow an attacker to make arbitrary configuration changes and execute arbitrary commands.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect | * |
A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect versions 9.6.2208.101 and earlier could allow an unauthenticated attacker with internal network access to authenticate with administrative privileges, because the initial installation does not enforce a password change. A successful exploit could allow an attacker to make arbitrary configuration changes and execute arbitrary commands.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect | * |
A vulnerability in the Connect Mobility Router component of MiVoice Connect versions 9.6.2208.101 and earlier could allow an authenticated attacker with internal network access to conduct a command injection attack due to insufficient restriction on URL parameters.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect | * |
The Linux DVS server component of Mitel MiVoice Connect through 19.3 SP2 (22.24.1500.0) could allow an unauthenticated attacker with internal network access to execute arbitrary scripts due to improper access control.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect | * |
A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 SP3 (22.24.5800.0) could allow an unauthenticated attacker to perform a Cross Site Request Forgery (CSRF) attack due to insufficient request validation. A successful exploit could allow an attacker to provide a modified URL, potentially enabling them to modify system configuration settings.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | 2.8 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect | * |
A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2304.102 could allow an unauthenticated attacker to perform a Cross Site Request Forgery (CSRF) attack due to insufficient request validation. A successful exploit could allow an attacker to provide a modified URL, potentially enabling them to modify system configuration settings.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | 2.8 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | connect_mobility_router | * |
A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 SP3 (22.24.5800.0) could allow an authenticated attacker with elevated privileges and internal network access to conduct a command argument injection due to insufficient parameter sanitization. A successful exploit could allow an attacker to access network information and to generate excessive network traffic.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L | 1.2 | 4.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect | * |
A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2304.102 could allow an authenticated attacker with elevated privileges and internal network access to conduct a command argument injection due to insufficient parameter sanitization. A successful exploit could allow an attacker to access network information and to generate excessive network traffic.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L | 1.2 | 4.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect | * |
A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2208.101 could allow an unauthenticated attacker to conduct an account enumeration attack due to improper configuration. A successful exploit could allow an attacker to access system information.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect | * |
A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through R19.3 SP3 (22.24.5800.0) could allow an authenticated attacker with elevated privileges to conduct an information disclosure attack due to improper configuration. A successful exploit could allow an attacker to view system information.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N | 1.2 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect | * |
A vulnerability in the Connect Mobility Router component of MiVoice Connect through 9.6.2304.102 could allow an authenticated attacker with elevated privileges to conduct an information disclosure attack due to improper configuration. A successful exploit could allow an attacker to view system information.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N | 1.2 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_connect | * |
A SQL Injection vulnerability has been identified in the MiVoice Office 400 SMB Controller through 1.2.5.23 which could allow a malicious actor to access sensitive information and execute arbitrary database and management operations.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_office_400_smb_controller_firmware | * |
| mitel | mivoice_office_400 | * |
A Command Injection vulnerability has been identified in the MiVoice Office 400 SMB Controller through 1.2.5.23 which could allow a malicious actor to execute arbitrary commands within the context of the system.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_office_400_smb_controller_firmware | * |
| mitel | mivoice_office_400 | * |
An issue was discovered in Atos Unify OpenScape Xpressions WebAssistant V7 before V7R1 FR5 HF42 P911. It allows authenticated remote code execution via file upload.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | unify_openscape_xpressions_webassistant | * |
An issue was discovered in Atos Unify OpenScape Xpressions WebAssistant V7 before V7R1 FR5 HF42 P911. It allows path traversal.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | unify_openscape_xpressions_webassistant | * |
In Unify CP IP Phone firmware 1.10.4.3, Weak Credentials are used (a hardcoded root password).
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | 6970_firmware | * |
| mitel | openscape_cpx10_firmware | * |
| mitel | 6920w_firmware | * |
| mitel | 6905_firmware | * |
| mitel | 6930w_firmware | * |
| mitel | openscape_dect_firmware | * |
| mitel | 700d_dect_firmware | * |
| mitel | openscape_cp210_firmware | * |
| mitel | openscape_cp710_firmware | * |
| mitel | 6915_firmware | * |
| mitel | 6910_firmware | * |
| mitel | 6940w_firmware | * |
| mitel | openscape_cp110_firmware | * |
| mitel | openscape_cp410_firmware | * |
A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct an information disclosure attack due to improper configuration. A successful exploit could allow an attacker to access sensitive information and potentially conduct unauthorized actions within the vulnerable component.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micontact_center_business | * |
A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient input validation. A successful exploit could allow an attacker to access sensitive information and gain unauthorized access.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micontact_center_business | * |
A vulnerability in the Suite Applications Services component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a SQL Injection attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary database and management operations.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
A vulnerability in the web conferencing component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a SQL Injection attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary database and management operations.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
A vulnerability in the web conferencing component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a Stored Cross-Site Scripting (XSS) attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary scripts.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
A vulnerability in the Suite Applications Services component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a Stored Cross-Site Scripting (XSS) attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary scripts.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
A vulnerability in the Ignite component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct a stored cross-site scripting (XSS) attack due to insufficient input validation.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micontact_center_business | * |
A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient input validation.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micontact_center_business | * |
A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input. A successful exploit could allow an attacker to access sensitive information and execute arbitrary database and management operations.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
A vulnerability in the NuPoint Messenger (NPM) component of Mitel MiCollab through version 9.8 SP1 (9.8.1.5) could allow an authenticated attacker with administrative privilege to conduct a privilege escalation attack due to the execution of a resource with unnecessary privileges. A successful exploit could allow an attacker to execute arbitrary commands with elevated privileges.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 6.7 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 0.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit requires user interaction and could allow an attacker to execute arbitrary scripts.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_business_solution_virtual_instance | 1.0.0.25 |
| mitel | micollab | * |
A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an authenticated attacker to conduct a privilege escalation attack due to improper file validation. A successful exploit could allow an attacker to run arbitrary code with elevated privileges.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_business_solution_virtual_instance | 1.0.0.25 |
| mitel | micollab | * |
The provisioning manager component of Mitel MiVoice MX-ONE through 7.6 SP1 could allow an authenticated attacker to conduct an authentication bypass attack due to improper access control. A successful exploit could allow an attacker to bypass the authorization schema.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_mx-one | * |
| mitel | mivoice_mx-one | 7.6 |
An issue was discovered on Mitel 6869i through 4.5.0.41 and 5.x through 5.0.0.1018 devices. A command injection vulnerability exists in the hostname parameter taken in by the provis.html endpoint. The provis.html endpoint performs no sanitization on the hostname parameter (sent by an authenticated user), which is subsequently written to disk. During boot, the hostname parameter is executed as part of a series of shell commands. Attackers can achieve remote code execution in the root context by placing shell metacharacters in the hostname parameter.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | 6869i_sip_firmware | * |
On Mitel 6869i 4.5.0.41 devices, the Manual Firmware Update (upgrade.html) page does not perform sanitization on the username and path parameters (sent by an authenticated user) before appending flags to the busybox ftpget command. This leads to $() command execution.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | 6869i_sip_firmware | 4.5.0.41 |
A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, through R6.4.0.HF1 (R6.4.0.136) could allow an authenticated attacker with administrative privilege to conduct an argument injection attack, due to insufficient parameter sanitization during the boot process. A successful exploit could allow an attacker to execute arbitrary commands within the context of the system.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | 6970_firmware | * |
| mitel | 6865i_sip_firmware | * |
| mitel | 6920w_sip_firmware | * |
| mitel | 6940_sip_firmware | * |
| mitel | 6930_sip_firmware | * |
| mitel | 6915_sip_firmware | * |
| mitel | 6920_sip_firmware | * |
| mitel | 6930w_sip_firmware | * |
| mitel | 6873i_sip_firmware | * |
| mitel | 6910_sip_firmware | * |
| mitel | 6940w_sip_firmware | * |
| mitel | 6905_sip_firmware | * |
| mitel | 6869i_sip_firmware | * |
| mitel | 6867i_sip_firmware | * |
| mitel | 6863i_sip_firmware | * |
A vulnerability in the Web Conferencing Component of Mitel MiCollab through 9.8.1.5 could allow an authenticated attacker to conduct a command injection attack, due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary commands on the system within the context of the user.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to insufficient input validation. A successful exploit could allow unauthorized access, enabling the attacker to view, corrupt, or delete users' data and system configurations.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
A vulnerability in the Web Interface component of Mitel MiCollab through 9.8 SP1 (9.8.1.5) and MiVoice Business Solution Virtual Instance (MiVB SVI) through 1.0.0.27 could allow an authenticated attacker to conduct a command injection attack, due to insufficient parameter sanitization. A successful exploit could allow an attacker to execute arbitrary commands with elevated privileges within the context of the system.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
| mitel | mivoice_business_solution_virtual_instance | * |
A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.1.0.4 could allow an unauthenticated attacker to conduct an unauthorized access attack due to inadequate access control checks. A successful exploit requires user interaction and could allow an attacker to access sensitive information and send unauthorized messages during an active chat session.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | 3.9 | 5.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micontact_center_business | * |
The API Interface of the AWV (Audio, Web and Video Conferencing) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct SQL injection due to insufficient sanitization of user input. A successful exploit could allow an attacker with knowledge of specific details to access non-sensitive user provisioning information and execute arbitrary SQL database commands.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
A vulnerability in the AWV (Audio, Web and Video Conferencing) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input. A successful exploit could allow an attacker to access non-sensitive user provisioning information and execute arbitrary SQL database commands.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.4 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H | 3.9 | 5.5 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
A vulnerability in the AWV (Audio, Web and Video Conferencing) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a CRLF injection attack due to inadequate encoding of user input in URLs. A successful exploit could allow an attacker to perform a phishing attack.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
A vulnerability in the AWV (Audio, Web, and Video) Conferencing component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to perform unauthorized data-access attacks due to missing authentication mechanisms. A successful exploit could allow an attacker to access and delete sensitive information.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | 3.9 | 4.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
Mitel MiCollab through 9.8 SP2 could allow an authenticated attacker with administrative privilege to conduct a local file read, due to insufficient input sanitization. A successful exploit could allow the authenticated admin attacker to access resources that are constrained to the admin access level, and the disclosure is limited to non-sensitive system information. This vulnerability does not allow file modification or privilege escalation.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 2.7 | LOW | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N | 1.2 | 1.4 |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 4.4 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N | 0.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | 9.8 |
| mitel | micollab | * |
A vulnerability in the Suite Applications Services component of Mitel MiCollab 10.0 through SP1 FP1 (10.0.1.101) could allow an authenticated attacker to conduct a SQL Injection attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary SQL database commands.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micollab | * |
A vulnerability in the Provisioning Manager component of Mitel MiVoice MX-ONE 7.3 (7.3.0.0.50) through 7.8 SP1 (7.8.1.0.14) could allow an unauthenticated attacker to conduct an authentication bypass attack due to improper authentication mechanisms. A successful exploit could allow an attacker to gain unauthorized access to user or admin accounts in the system.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | mivoice_mx-one | * |
| mitel | mivoice_mx-one | 7.8 |
A vulnerability in the Multimedia Email component of Mitel MiContact Center Business through 10.2.0.10 and Mitel CX through 1.1.0.1 could allow an unauthenticated attacker to conduct a Cross-Site Scripting (XSS) attack due to insufficient input validation. A successful exploit requires user interaction where the email channel is enabled. This could allow an attacker to execute arbitrary scripts in the victim's browser or desktop client application.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| mitel | micontact_center_business | * |
| mitel | cx | * |