CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36453
https://notcve.org/view.php?id=CVE-2022-36453
A vulnerability in the MiCollab Client API of Mitel MiCollab 9.1.3 through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit could allow the authenticated attacker to control another extension number. Una vulnerabilidad en la API del cliente de MiCollab de Mitel MiCollab versiones 9.1.3 hasta 9.5.0.101, podría permitir a un atacante autenticado modificar los parámetros de su perfil debido a controles de autorización inapropiados. Una explotación con éxito podría permitir al atacante autenticado controlar otro número de extensión • https://www.mitel.com/support/security-advisories https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0006 •
CVSS: 9.8EPSS: 5%CPEs: 4EXPL: 1CVE-2022-26143 – MiCollab, MiVoice Business Express Access Control Vulnerability
https://notcve.org/view.php?id=CVE-2022-26143
The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic). This was exploited in the wild in February and March 2022 for the TP240PhoneHome DDoS attack. El componente TP-240 (también conocido como tp240dvr) en Mitel MiCollab versiones anteriores a 9.4 SP1 FP1 y MiVoice Business Express versiones hasta 8.1, permite a atacantes remotos obtener información confidencial y causar una denegación de servicio (degradación del rendimiento y tráfico saliente excesivo). Esto fue explotado "in the wild" en febrero y marzo de 2022 para el ataque DDoS TP240PhoneHome A vulnerability has been identified in MiCollab and MiVoice Business Express that may allow a malicious actor to gain unauthorized access to sensitive information and services, cause performance degradations or a denial of service condition on the affected system. • https://arstechnica.com/information-technology/2022/03/ddosers-use-new-method-capable-of-amplifying-traffic-by-a-factor-of-4-billion https://blog.cloudflare.com/cve-2022-26143 https://news.ycombinator.com/item?id=30614073 https://team-cymru.com/blog/2022/03/08/record-breaking-ddos-potential-discovered-cve-2022-26143 https://www.akamai.com/blog/security/phone-home-ddos-attack-vector https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-22-0001 https://www.sha • CWE-306: Missing Authentication for Critical Function •