A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input. A successful exploit could allow an attacker to access sensitive information and execute arbitrary database and management operations.
The NuPoint Messenger (NPM) component in Mitel MiCollab does not perform sufficient validation and sanitization of user-supplied input data. An attacker can inject malicious SQL code in an appropriate request without the need to possess any account or credentials. The vulnerability is accessible remotely over the network, without requiring any interaction from the victim, which significantly lowers the attack threshold.
Successful exploitation of this vulnerability allows an attacker to gain unauthorized access to sensitive data stored in the database and perform arbitrary operations on the database and management system, which may lead to data theft, modification, or complete integrity violation of the system.
Security patches available from the vendor should be applied in accordance with the references — details in the Mitel Product Security Advisory 24-0014 available at: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0014
Mitel MiCollab in versions up to and including 9.8.0.33 (NuPoint Messenger component — NPM)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMitel Micollab
APPMitel≤ 9.8.0.33
Related vulnerabilities
Path Traversal w Mitel MiCollab — nieautoryzowany dostęp do danych
The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through ...
Command Injection w Mitel MiCollab i MiVoice Business Solution Virtual Instance
Command injection w Mitel MiCollab NuPoint Messenger — dostęp bez uwierzytelnienia
SQL Injection w komponencie AWV Mitel MiCollab — dostęp bez uwierzytelnienia