CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-35314

CVSS 9.8v3.1pub. 2024-10-21upd. 2025-07-07

A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit requires user interaction and could allow an attacker to execute arbitrary scripts.

🤖 AI Analysis
How it works

The vulnerability resulted from insufficient sanitization of input parameters in the Desktop client (CWE-94 — improper control of code generation). An attacker can provide specially crafted input data that will be interpreted as commands or scripts by the vulnerable application. Exploitation requires user interaction (e.g., opening a crafted link or file), however the attacker does not need any prior authentication.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary scripts in the context of the application on the victim's device, which may lead to breach of data confidentiality, modification of system resources, and disruption of service availability.

Mitigation & patch

Security patches available from the vendor should be applied according to references published by Mitel in Security Bulletin 24-0015-001 (available at the address indicated in the references). Until the fix is implemented, it is recommended to restrict the ability to run the Desktop client in environments exposed to untrusted input data.

Who is affected

Mitel MiCollab Desktop Client in versions up to and including 9.7.1.110 and Mitel MiVoice Business Solution Virtual Instance (MiVB SVI) version 1.0.0.25.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mitel Micollab

    APP
    Mitel
    ≤ 9.7.1.110
  • Mitel Mivoice Business Solution Virtual Instance

    APP
    Mitel
    1.0.0.25
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2024-41713CRITICAL9.1⚠ KEVPL ✓ten sam produkt

Path Traversal w Mitel MiCollab — nieautoryzowany dostęp do danych

CVE-2022-26143CRITICAL9.8⚠ KEVten sam produkt

The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through ...

CVE-2024-35286CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Mitel MiCollab NuPoint Messenger — dostęp bez uwierzytelnienia

CVE-2024-35285CRITICAL9.8PL ✓ten sam produkt

Command injection w Mitel MiCollab NuPoint Messenger — dostęp bez uwierzytelnienia

CVE-2024-47223CRITICAL9.4PL ✓ten sam produkt

SQL Injection w komponencie AWV Mitel MiCollab — dostęp bez uwierzytelnienia