DIVD-2024-00050 - Path traversal vulnerabilty in Mitel MiCollab
| Our reference | DIVD-2024-00050 |
| Case lead | Alwin Warringa |
| Researcher(s) |
|
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Upgrade to MiCollab 9.8 SP2 (9.8.2.12) or later |
| Patch status | Patch available |
| Workaround | none |
| Status | Open |
| Last modified | 06 Dec 2024 13:56 CET |
Summary
A path traversal vulnerability, CVE-2024-41713, in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab could allow an unauthenticated attacker to conduct a path traversal attack due to insufficient input validation. A successful exploit of this vulnerability could allow an attacker to gain unauthorized access, with potential impacts to the confidentiality, integrity, and availability of the system. This vulnerability is exploitable without authentication. If the vulnerability is successfully exploited, an attacker could gain unauthenticated access to provisioning information including non-sensitive user and network information and perform unauthorized administrative actions on the MiCollab Server.
Recommendations
To remediate CVE-2024-41713, upgrade to MiCollab 9.8 SP2 (9.8.2.12) or later. You can find a link to the Mitel bulletin at the bottom of this post.
What we are doing
DIVD is currently working to identify parties that are running a vulnerable version of Mitel MiCollab and to notify these parties.
Timeline
| Date | Description |
|---|---|
| 05 Dec 2024 | DIVD starts researching the vulnerability. |
| 06 Dec 2024 | DIVD finds fingerprint, preparing to scan. |
| 06 Dec 2024 | Case opened and starting first scan. |
| 06 Dec 2024 | DIVD starts notifying network owners with a vulnerable devices in their network. |