Mitel Issues Critical Fixes for XSS Vulnerabilities in MiContact Center Business

In their latest security bulletins, Mitel Networks Corporation has addressed critical security concerns for users of the MiContact Center Business platform. These updates tackle significant vulnerabilities that could potentially allow unauthorized script execution through cross-site scripting (XSS) attacks.

Stored XSS Vulnerability – Critical Risk

Mitel’s Security Bulletin 24-0011-001 details a critical stored XSS vulnerability (CVE pending) in the Ignite component of MiContact Center Business. This vulnerability, with a CVSS v3.1 score of 9.3, allows an unauthenticated attacker to store malicious scripts on the server, which are then executed when other users access the impacted parts of the application. This type of vulnerability is particularly dangerous because it does not require the victim to take any action beyond using the application as intended.

Affected Versions:

• MiContact Center Business versions up to 10.0.0.4 (including Hotfix KB560110)

Mitigation Steps:

• Users are urged to upgrade to MiContact Center Business version 10.1.0.1.
• Alternatively, Mitel has released hotfixes KB560730 and KB560732 for versions 10.0.0.4 and 9.5.0.3, respectively.

Mitel advises turning off the Legacy Chat or transitioning to CloudLink Contact Center Messenger Chat to mitigate risks.

Reflected XSS Vulnerability – High Risk

The second security bulletin, 24-0012-001, addresses a high-risk reflected XSS vulnerability (CVE pending) found in the Legacy Chat component of the same platform. This reflected XSS issue, scoring an 8.1 on the CVSS v3.1 scale, could enable an unauthenticated attacker to trick a user into executing malicious scripts by following a specially crafted link or message. Unlike stored XSS, reflected XSS requires user interaction but is equally capable of significant damage.

Affected Versions:

• Same as above, impacting versions up to 10.0.0.4.

Mitigation Steps:

• Mitel again recommends upgrading to version 10.1.0.1 or applying the provided hotfixes KB560730 and KB560732.

Conclusion

Both vulnerabilities are tied to the legacy components of MiContact Center Business and underscore the importance of maintaining up-to-date software to safeguard against potential cyber threats. Users affected by these vulnerabilities should apply the recommended updates or hotfixes immediately to secure their systems.