Vulnerabilities (CVE)

Filtered by vendor Mitel Subscribe
Total 112 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-37570 1 Mitel 2 6869i Sip, 6869i Sip Firmware 2024-11-21 N/A 8.8 HIGH
On Mitel 6869i 4.5.0.41 devices, the Manual Firmware Update (upgrade.html) page does not perform sanitization on the username and path parameters (sent by an authenticated user) before appending flags to the busybox ftpget command. This leads to $() command execution.
CVE-2024-37569 1 Mitel 2 6869i Sip, 6869i Sip Firmware 2024-11-21 N/A 8.8 HIGH
An issue was discovered on Mitel 6869i through 4.5.0.41 and 5.x through 5.0.0.1018 devices. A command injection vulnerability exists in the hostname parameter taken in by the provis.html endpoint. The provis.html endpoint performs no sanitization on the hostname parameter (sent by an authenticated user), which is subsequently written to disk. During boot, the hostname parameter is executed as part of a series of shell commands. Attackers can achieve remote code execution in the root context by placing shell metacharacters in the hostname parameter.
CVE-2024-30157 1 Mitel 1 Micollab 2024-11-21 N/A 7.2 HIGH
A vulnerability in the Suite Applications Services component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a SQL Injection attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary database and management operations.
CVE-2023-40266 1 Mitel 1 Unify Openscape Xpressions Webassistant 2024-11-21 N/A 9.8 CRITICAL
An issue was discovered in Atos Unify OpenScape Xpressions WebAssistant V7 before V7R1 FR5 HF42 P911. It allows path traversal.
CVE-2023-40265 1 Mitel 1 Unify Openscape Xpressions Webassistant 2024-11-21 N/A 8.8 HIGH
An issue was discovered in Atos Unify OpenScape Xpressions WebAssistant V7 before V7R1 FR5 HF42 P911. It allows authenticated remote code execution via file upload.
CVE-2023-39293 1 Mitel 3 Mivoice Office 400, Mivoice Office 400 Smb Controller, Mivoice Office 400 Smb Controller Firmware 2024-11-21 N/A 9.8 CRITICAL
A Command Injection vulnerability has been identified in the MiVoice Office 400 SMB Controller through 1.2.5.23 which could allow a malicious actor to execute arbitrary commands within the context of the system.
CVE-2023-39292 1 Mitel 3 Mivoice Office 400, Mivoice Office 400 Smb Controller, Mivoice Office 400 Smb Controller Firmware 2024-11-21 N/A 9.8 CRITICAL
A SQL Injection vulnerability has been identified in the MiVoice Office 400 SMB Controller through 1.2.5.23 which could allow a malicious actor to access sensitive information and execute arbitrary database and management operations.
CVE-2023-39291 1 Mitel 1 Mivoice Connect 2024-11-21 N/A 4.9 MEDIUM
A vulnerability in the Connect Mobility Router component of MiVoice Connect through 9.6.2304.102 could allow an authenticated attacker with elevated privileges to conduct an information disclosure attack due to improper configuration. A successful exploit could allow an attacker to view system information.
CVE-2023-39290 1 Mitel 1 Mivoice Connect 2024-11-21 N/A 4.9 MEDIUM
A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through R19.3 SP3 (22.24.5800.0) could allow an authenticated attacker with elevated privileges to conduct an information disclosure attack due to improper configuration. A successful exploit could allow an attacker to view system information.
CVE-2023-39289 1 Mitel 1 Mivoice Connect 2024-11-21 N/A 7.5 HIGH
A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2208.101 could allow an unauthenticated attacker to conduct an account enumeration attack due to improper configuration. A successful exploit could allow an attacker to access system information.
CVE-2023-39288 1 Mitel 1 Mivoice Connect 2024-11-21 N/A 5.5 MEDIUM
A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2304.102 could allow an authenticated attacker with elevated privileges and internal network access to conduct a command argument injection due to insufficient parameter sanitization. A successful exploit could allow an attacker to access network information and to generate excessive network traffic.
CVE-2023-39287 1 Mitel 1 Mivoice Connect 2024-11-21 N/A 5.5 MEDIUM
A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 SP3 (22.24.5800.0) could allow an authenticated attacker with elevated privileges and internal network access to conduct a command argument injection due to insufficient parameter sanitization. A successful exploit could allow an attacker to access network information and to generate excessive network traffic.
CVE-2023-39286 1 Mitel 1 Connect Mobility Router 2024-11-21 N/A 4.3 MEDIUM
A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2304.102 could allow an unauthenticated attacker to perform a Cross Site Request Forgery (CSRF) attack due to insufficient request validation. A successful exploit could allow an attacker to provide a modified URL, potentially enabling them to modify system configuration settings.
CVE-2023-39285 1 Mitel 1 Mivoice Connect 2024-11-21 N/A 4.3 MEDIUM
A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 SP3 (22.24.5800.0) could allow an unauthenticated attacker to perform a Cross Site Request Forgery (CSRF) attack due to insufficient request validation. A successful exploit could allow an attacker to provide a modified URL, potentially enabling them to modify system configuration settings.
CVE-2023-32748 1 Mitel 1 Mivoice Connect 2024-11-21 N/A 9.8 CRITICAL
The Linux DVS server component of Mitel MiVoice Connect through 19.3 SP2 (22.24.1500.0) could allow an unauthenticated attacker with internal network access to execute arbitrary scripts due to improper access control.
CVE-2023-31460 1 Mitel 1 Mivoice Connect 2024-11-21 N/A 7.2 HIGH
A vulnerability in the Connect Mobility Router component of MiVoice Connect versions 9.6.2208.101 and earlier could allow an authenticated attacker with internal network access to conduct a command injection attack due to insufficient restriction on URL parameters.
CVE-2023-31459 1 Mitel 1 Mivoice Connect 2024-11-21 N/A 8.8 HIGH
A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect versions 9.6.2208.101 and earlier could allow an unauthenticated attacker with internal network access to authenticate with administrative privileges, because the initial installation does not enforce a password change. A successful exploit could allow an attacker to make arbitrary configuration changes and execute arbitrary commands.
CVE-2023-31458 1 Mitel 1 Mivoice Connect 2024-11-21 N/A 9.8 CRITICAL
A vulnerability in the Edge Gateway component of Mitel MiVoice Connect versions 19.3 SP2 (22.24.1500.0) and earlier could allow an unauthenticated attacker with internal network access to authenticate with administrative privileges, because initial installation does not enforce a password change. A successful exploit could allow an attacker to make arbitrary configuration changes and execute arbitrary commands.
CVE-2023-31457 1 Mitel 1 Mivoice Connect 2024-11-21 N/A 9.8 CRITICAL
A vulnerability in the Headquarters server component of Mitel MiVoice Connect versions 19.3 SP2 (22.24.1500.0) and earlier could allow an unauthenticated attacker with internal network access to execute arbitrary scripts due to improper access control.
CVE-2023-25599 1 Mitel 1 Mivoice Connect 2024-11-21 N/A 7.4 HIGH
A vulnerability in the conferencing component of Mitel MiVoice Connect through 19.3 SP2, 22.24.1500.0 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the test_presenter.php page. A successful exploit could allow an attacker to execute arbitrary scripts.