Skip to the content.

DIVD-2024-00050 - Path traversal vulnerabilty in Mitel MiCollab

Our reference DIVD-2024-00050
Case lead Alwin Warringa
Researcher(s)
CVE(s)
Products
  • Mitel MiCollab
Versions
  • 9.8 SP1 FP2 (9.8.1.201) and earlier
Recommendation Upgrade to MiCollab 9.8 SP2 (9.8.2.12) or later
Patch status Patch available
Workaround none
Status Open
Last modified 06 Dec 2024 13:56 CET

Summary

A path traversal vulnerability, CVE-2024-41713, in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab could allow an unauthenticated attacker to conduct a path traversal attack due to insufficient input validation. A successful exploit of this vulnerability could allow an attacker to gain unauthorized access, with potential impacts to the confidentiality, integrity, and availability of the system. This vulnerability is exploitable without authentication. If the vulnerability is successfully exploited, an attacker could gain unauthenticated access to provisioning information including non-sensitive user and network information and perform unauthorized administrative actions on the MiCollab Server.

Recommendations

To remediate CVE-2024-41713, upgrade to MiCollab 9.8 SP2 (9.8.2.12) or later. You can find a link to the Mitel bulletin at the bottom of this post.

What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of Mitel MiCollab and to notify these parties.

Timeline

Date Description
05 Dec 2024 DIVD starts researching the vulnerability.
06 Dec 2024 DIVD finds fingerprint, preparing to scan.
06 Dec 2024 Case opened and starting first scan.
06 Dec 2024 DIVD starts notifying network owners with a vulnerable devices in their network.
gantt title DIVD-2024-00050 - Path traversal vulnerabilty in Mitel MiCollab dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00050 - Path traversal vulnerabilty in Mitel MiCollab (still open) :2024-12-05, 2024-12-18 section Events DIVD starts researching the vulnerability. : milestone, 2024-12-05, 0d DIVD finds fingerprint, preparing to scan. : milestone, 2024-12-06, 0d Case opened and starting first scan. : milestone, 2024-12-06, 0d DIVD starts notifying network owners with a vulnerable devices in their network. : milestone, 2024-12-06, 0d

More information