-
Notifications
You must be signed in to change notification settings - Fork 48
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #886 from DIVD-NL/sT0wn-nl-patch-2
Create DIVD-2024-00050.md
- Loading branch information
Showing
1 changed file
with
50 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| --- | ||
| layout: case | ||
| title: "Path traversal vulnerabilty in Mitel MiCollab" | ||
| author: Alwin Warringa | ||
| lead: Alwin Warringa | ||
| excerpt: "A path traversal vulnerability, CVE-2024-41713, in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab could allow an unauthenticated attacker to conduct a path traversal attack due to insufficient input validation" | ||
| researchers: | ||
| - Alwin Warringa | ||
| - Stan Plasmeijer | ||
| - Koen Schagen | ||
| cves: | ||
| - CVE-2024-41713 | ||
| product: | ||
| - Mitel MiCollab | ||
| versions: | ||
| - 9.8 SP1 FP2 (9.8.1.201) and earlier | ||
| recommendation: "Upgrade to MiCollab 9.8 SP2 (9.8.2.12) or later" | ||
| workaround: "none" | ||
| patch_status: Patch available | ||
| status : Open | ||
| start: 2024-12-05 | ||
| timeline: | ||
| - start: 2024-12-05 | ||
| end: | ||
| event: "DIVD starts researching the vulnerability." | ||
| - start: 2024-12-06 | ||
| end: | ||
| event: "DIVD finds fingerprint, preparing to scan." | ||
| - start: 2024-12-06 | ||
| end: | ||
| event: "Case opened and starting first scan." | ||
| --- | ||
|
|
||
| ## Summary | ||
| A path traversal vulnerability, {% cve CVE-2024-41713 %}, in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab could allow an unauthenticated attacker to conduct a path traversal attack due to insufficient input validation. A successful exploit of this vulnerability could allow an attacker to gain unauthorized access, with potential impacts to the confidentiality, integrity, and availability of the system. This vulnerability is exploitable without authentication. If the vulnerability is successfully exploited, an attacker could gain unauthenticated access to provisioning information including non-sensitive user and network information and perform unauthorized administrative actions on the MiCollab Server. | ||
|
|
||
| ## Recommendations | ||
|
|
||
| To remediate {% cve CVE-2024-41713 %}, upgrade to MiCollab 9.8 SP2 (9.8.2.12) or later. You can find a link to the Mitel bulletin at the bottom of this post. | ||
|
|
||
| ## What we are doing | ||
|
|
||
| DIVD is currently working to identify parties that are running a vulnerable version of Mitel MiCollab and to notify these parties. | ||
|
|
||
| {% include timeline.html %} | ||
|
|
||
| ## More information | ||
|
|
||
| * {% cve CVE-2024-41713 %} | ||
| * [Mitel MiCollab Security Bulletin](https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029) |