CVE-2022-36453
https://notcve.org/view.php?id=CVE-2022-36453
A vulnerability in the MiCollab Client API of Mitel MiCollab 9.1.3 through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit could allow the authenticated attacker to control another extension number. Una vulnerabilidad en la API del cliente de MiCollab de Mitel MiCollab versiones 9.1.3 hasta 9.5.0.101, podría permitir a un atacante autenticado modificar los parámetros de su perfil debido a controles de autorización inapropiados. Una explotación con éxito podría permitir al atacante autenticado controlar otro número de extensión • https://www.mitel.com/support/security-advisories https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0006 •
CVE-2022-26143 – MiCollab, MiVoice Business Express Access Control Vulnerability
https://notcve.org/view.php?id=CVE-2022-26143
The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic). This was exploited in the wild in February and March 2022 for the TP240PhoneHome DDoS attack. El componente TP-240 (también conocido como tp240dvr) en Mitel MiCollab versiones anteriores a 9.4 SP1 FP1 y MiVoice Business Express versiones hasta 8.1, permite a atacantes remotos obtener información confidencial y causar una denegación de servicio (degradación del rendimiento y tráfico saliente excesivo). Esto fue explotado "in the wild" en febrero y marzo de 2022 para el ataque DDoS TP240PhoneHome A vulnerability has been identified in MiCollab and MiVoice Business Express that may allow a malicious actor to gain unauthorized access to sensitive information and services, cause performance degradations or a denial of service condition on the affected system. • https://arstechnica.com/information-technology/2022/03/ddosers-use-new-method-capable-of-amplifying-traffic-by-a-factor-of-4-billion https://blog.cloudflare.com/cve-2022-26143 https://news.ycombinator.com/item?id=30614073 https://team-cymru.com/blog/2022/03/08/record-breaking-ddos-potential-discovered-cve-2022-26143 https://www.akamai.com/blog/security/phone-home-ddos-attack-vector https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-22-0001 https://www.sha • CWE-306: Missing Authentication for Critical Function •
CVE-2021-32069
https://notcve.org/view.php?id=CVE-2021-32069
The AWV component of Mitel MiCollab before 9.3 could allow an attacker to perform a Man-In-the-Middle attack due to improper TLS negotiation. A successful exploit could allow an attacker to view and modify data. El componente AWV de Mitel MiCollab versiones anteriores a 9.3, podría permitir a un atacante llevar a cabo un ataque de tipo Man-In-the-Middle debido a una negociación TLS inapropiado. Una explotación con éxito podría permitir a un atacante visualizar y modificar datos. • https://www.mitel.com/support/security-advisories https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-21-0005 • CWE-295: Improper Certificate Validation •
CVE-2021-32072
https://notcve.org/view.php?id=CVE-2021-32072
The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to get source code information (disclosing sensitive application data) due to insufficient output sanitization. A successful exploit could allow an attacker to view source code methods. El componente MiCollab Client Service en Mitel MiCollab versiones anteriores a 9.3, podría permitir a un atacante conseguir información del código fuente (divulgando datos confidenciales de la aplicación) debido a una insuficiente saneamiento de la salida. Una explotación con éxito podría permitir a un atacante visualizar métodos de código fuente. • https://www.mitel.com/support/security-advisories https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-21-0005 • CWE-116: Improper Encoding or Escaping of Output •
CVE-2021-32071
https://notcve.org/view.php?id=CVE-2021-32071
The MiCollab Client service in Mitel MiCollab before 9.3 could allow an unauthenticated user to gain system access due to improper access control. A successful exploit could allow an attacker to view and modify application data, and cause a denial of service for users. El servicio MiCollab Client de Mitel MiCollab versiones anteriores a 9.3, podría permitir a un usuario no autenticado conseguir acceso al sistema debido a un control de acceso inapropiado. Una explotación con éxito podría permitir a un atacante visualizar y modificar los datos de la aplicación, y causar una denegación de servicio para usuarios. • https://www.mitel.com/support/security-advisories https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-21-0005 •