CVE-2018-9102

Published: Apr 25, 2018Modified: Nov 21, 2024

6.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

A vulnerability in the conferencing component of Mitel MiVoice Connect, versions R1707-PREM SP1 (21.84.5535.0) and earlier, and Mitel ST 14.2, versions GA27 (19.49.5200.0) and earlier, could allow an unauthenticated attacker to conduct an SQL injection attack due to insufficient input validation for the signin interface. A successful exploit could allow an attacker to extract sensitive information from the database.

Affected (2)

Products: Mitel: Mivoice Connect, St 14.2

2 products

Mivoice Connect

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Mitel Mivoice Connect	Up to 21.84.5535.0
Mitel St 14.2	Up to 19.49.5200.0

Related CWEs

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

References (4)

https://www.mitel.com/mitel-product-security-advisory-18-0003

Source: cve@mitre.org

Broken LinkVendor Advisory

https://www.mitel.com/sites/default/files/2018-Security-Bulletin-18-0003-001.pdf

Source: cve@mitre.org

Broken LinkVendor Advisory

https://www.mitel.com/mitel-product-security-advisory-18-0003

Source: af854a3a-2127-422b-91ae-364da2661108

Broken LinkVendor Advisory

https://www.mitel.com/sites/default/files/2018-Security-Bulletin-18-0003-001.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Broken LinkVendor Advisory

Timeline

No history available yet.