Mitel Product Security Advisory 18-0003

SQL Injection and Reflected XSS Vulnerabilities in Connect OnSite and ST 14.2

Advisory ID: 18-0003
Publish Date: 2018-01-31
Revision: 1.0

Summary

An SQL injection vulnerability and Reflected Cross Site Scripting (XSS) vulnerabilities have been identified in Connect ONSITE and ST 14.2. These vulnerabilities could lead to exposure of user information stored in the database.

This vulnerability was privately reported to Mitel. Mitel is not aware of customers that have been impacted by this vulnerability.

Mitel is recommending customers with affected product versions update to the latest release.

Credit is given to Kevin McFarland of Sage Data Security for highlighting these issues and bringing these to our attention.

Affected Products

A Security Bulletin is being issued for the following product: 

Product Name Product Versions Security Bulletin Last Updated
Connect ONSITE 21.82.2142.0 and earlier 18-0003-001 2018-01-31
ST14.2 14.2 GA27 and earlier

Risk Assessment

The risk of these vulnerabilities is rated as high. Refer to the product Security Bulletin for additional statements regarding risk.

Mitigation / Recommended Action

Mitel has issued new releases of the affected software. Customers are advised to update their software to the latest versions.

Customers are advised to review the product Security Bulletin. For details on upgrading to the latest Connect ONSITE release, please review the Connect software download page on the partner portal and/or contact your partner or Mitel customer support at: https://oneview.mitel.com/s/support.

External References

n/a

Related CVEs / CWEs / Advisories

n/a

Revision History

Version Date Description
1.0 2018-01-31 Initial version

 

Attachment(s)