CVE-2024-47223 (CVSS 9.4): SQLi Flaw in Mitel MiCollab Poses Severe Risk to Enterprises

MiCollab software - CVE-2024-47223 & CVE-2024-41713

Mitel, a global leader in business communications, has issued a critical security advisory concerning a high-severity SQL injection vulnerability in its MiCollab software, specifically affecting the Audio, Web, and Video Conferencing (AWV) component. Designated as CVE-2024-47223, this flaw carries a CVSS score of 9.4, signaling its potential to cause significant damage if exploited.

This vulnerability stems from insufficient sanitization of user input, allowing an unauthenticated attacker to conduct a SQL injection attack via a specially crafted URL. “A successful exploit of this vulnerability requires a specially crafted URL, and could allow impacts on the confidentiality, integrity and availability of the system,” Mitel warned in its advisory. The risk is particularly pronounced given that MiCollab is widely used in corporate environments for collaboration and conferencing solutions.

Should an attacker successfully exploit CVE-2024-47223, they could gain unauthorized access to non-sensitive user provisioning data, such as usernames and email addresses. However, the potential harm doesn’t stop there. Mitel’s advisory states that an attacker could also “run arbitrary SQL database queries to corrupt or remove tables, potentially rendering the MiCollab system inoperable.”

Given the critical nature of this vulnerability, Mitel has strongly advised its customers to update to the latest MiCollab release. “Mitel is recommending customers with affected product versions update to the latest release,” the advisory notes, highlighting that versions prior to MiCollab 9.8 SP2 are vulnerable.

Credit for identifying and reporting this vulnerability has been attributed to Patrick Webster of OSI Security, whose timely discovery brought the issue to Mitel’s attention.

For customers unable to upgrade immediately, Mitel has also provided a temporary patch for versions 9.8, 9.8 SP1, and 9.8 SP1FP1 to mitigate the risk. The patch is available through Mitel’s Knowledge Management System, with specific instructions provided to help secure affected systems.

Related Posts: