CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-35285

CVSS 9.8v3.1pub. 2024-10-21upd. 2025-07-07

A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization.

🤖 AI Analysis
How it works

The vulnerability results from insufficient sanitization of input parameters in the NuPoint Messenger component. An attacker can pass specially crafted input data containing malicious system commands (command injection), which are then executed by the application in the server context. The lack of user identity verification (auth bypass) makes the attack accessible to anyone with network access to the system.

Impact

An attacker can take full control of the vulnerable system — gain access to confidential data, modify server resources, or disrupt its availability, which corresponds to a complete breach of confidentiality, integrity, and availability.

Mitigation & patch

Patches available from the manufacturer should be applied according to the references — details in the Mitel security bulletin Product Security Advisory 24-0013 available at: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0013

Who is affected

Mitel MiCollab in versions up to and including 9.8.0.33 (NuPoint Messenger component)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mitel Micollab

    APP
    Mitel
    ≤ 9.8.0.33
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2024-41713CRITICAL9.1⚠ KEVPL ✓ten sam produkt

Path Traversal w Mitel MiCollab — nieautoryzowany dostęp do danych

CVE-2022-26143CRITICAL9.8⚠ KEVten sam produkt

The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through ...

CVE-2024-35314CRITICAL9.8PL ✓ten sam produkt

Command Injection w Mitel MiCollab i MiVoice Business Solution Virtual Instance

CVE-2024-35286CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Mitel MiCollab NuPoint Messenger — dostęp bez uwierzytelnienia

CVE-2024-47223CRITICAL9.4PL ✓ten sam produkt

SQL Injection w komponencie AWV Mitel MiCollab — dostęp bez uwierzytelnienia