CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-35286

CVSS 9.8v3.1pub. 2024-10-21upd. 2025-07-07

A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input. A successful exploit could allow an attacker to access sensitive information and execute arbitrary database and management operations.

🤖 AI Analysis
How it works

The NuPoint Messenger (NPM) component in Mitel MiCollab does not perform sufficient validation and sanitization of user-supplied input data. An attacker can inject malicious SQL code in an appropriate request without the need to possess any account or credentials. The vulnerability is accessible remotely over the network, without requiring any interaction from the victim, which significantly lowers the attack threshold.

Impact

Successful exploitation of this vulnerability allows an attacker to gain unauthorized access to sensitive data stored in the database and perform arbitrary operations on the database and management system, which may lead to data theft, modification, or complete integrity violation of the system.

Mitigation & patch

Security patches available from the vendor should be applied in accordance with the references — details in the Mitel Product Security Advisory 24-0014 available at: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0014

Who is affected

Mitel MiCollab in versions up to and including 9.8.0.33 (NuPoint Messenger component — NPM)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mitel Micollab

    APP
    Mitel
    ≤ 9.8.0.33
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
SQLiAuth Bypass
CWE
References

Related vulnerabilities

CVE-2024-41713CRITICAL9.1⚠ KEVPL ✓ten sam produkt

Path Traversal w Mitel MiCollab — nieautoryzowany dostęp do danych

CVE-2022-26143CRITICAL9.8⚠ KEVten sam produkt

The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through ...

CVE-2024-35314CRITICAL9.8PL ✓ten sam produkt

Command Injection w Mitel MiCollab i MiVoice Business Solution Virtual Instance

CVE-2024-35285CRITICAL9.8PL ✓ten sam produkt

Command injection w Mitel MiCollab NuPoint Messenger — dostęp bez uwierzytelnienia

CVE-2024-47223CRITICAL9.4PL ✓ten sam produkt

SQL Injection w komponencie AWV Mitel MiCollab — dostęp bez uwierzytelnienia