A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization.
The vulnerability results from insufficient sanitization of input parameters in the NuPoint Messenger component. An attacker can pass specially crafted input data containing malicious system commands (command injection), which are then executed by the application in the server context. The lack of user identity verification (auth bypass) makes the attack accessible to anyone with network access to the system.
An attacker can take full control of the vulnerable system — gain access to confidential data, modify server resources, or disrupt its availability, which corresponds to a complete breach of confidentiality, integrity, and availability.
Patches available from the manufacturer should be applied according to the references — details in the Mitel security bulletin Product Security Advisory 24-0013 available at: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0013
Mitel MiCollab in versions up to and including 9.8.0.33 (NuPoint Messenger component)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMitel Micollab
APPMitel≤ 9.8.0.33
Related vulnerabilities
Path Traversal w Mitel MiCollab — nieautoryzowany dostęp do danych
The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through ...
Command Injection w Mitel MiCollab i MiVoice Business Solution Virtual Instance
SQL Injection w Mitel MiCollab NuPoint Messenger — dostęp bez uwierzytelnienia
SQL Injection w komponencie AWV Mitel MiCollab — dostęp bez uwierzytelnienia