Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN365 _____________________________________________________________________ DATE : 18/06/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running MiCollab version prior to 9.8 SP3 (9.8.3.1). ===================================================================== https://www.mitel.com/support/mitel-product-security-advisory-misa-2025-0007 _____________________________________________________________________ Mitel Product Security Advisory MISA-2025-0007 MiCollab Path Traversal Vulnerability Advisory ID: MISA-2025-0007 Publish Date: 2025-06-11 Last Updated: 2025-06-11 Revision: 1.0 Summary A path traversal vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab could allow an unauthenticated attacker to conduct a path traversal attack due to insufficient input validation. A successful exploit of this vulnerability could allow an attacker to gain unauthorized access, with potential impacts to the confidentiality, integrity, and availability of the system. If the vulnerability is successfully exploited, an attacker could gain unauthenticated access to provisioning information including non-sensitive user and network information and perform unauthorized administrative actions on the MiCollab Server. The vulnerability severity is rated as critical. Mitel is recommending customers with affected product versions update to the latest release. Credit is given to Dahmani Toumi, security researcher, for highlighting these issues and bringing these to our attention. Affected Products and Solutions This security advisory provides information on the following products: PRODUCT NAME VERSION(S) AFFECTED SOLUTION(S) AVAILABLE MiCollab 9.8 SP2 (9.8.2.12) and earlier Upgrade to MiCollab version 9.8 SP3 (9.8.3.1) or later. Alternative Solution: Mitel has provided a patch that is available for releases 6.0 and above Note: MiCollab version 10.0.0.26 or later are not impacted. Vulnerability Severity The following products have been identified as affected: PRODUCT NAME CVE ID SEVERITY CVSS 3.1 BASE SCORE MiCollab Critical / 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H The vulnerability severity is rated as critical. Mitigations / Workarounds Customers with affected product versions should upgrade to the highlighted solution versions or later. For customers who are not currently able to upgrade to the latest version in a timely manner, Mitel has provided a patch that is available for releases 6.0 and above. See the KMS article for instructions regarding both the upgrade and the patch. Solution/ Recommended Action This issue is corrected in 9.8 SP3 (9.8.3.1) or later releases. Customers are advised to upgrade to this or subsequent releases. Please see Mitel Knowledge Base article SO8539, “MiCollab Security Update Path Traversal Vulnerability” https://mitel.custhelp.com/app/answers/answer_view/a_id/1021759 If you do not have access to this link, please contact your Mitel Authorized Partner for support. For further information, please contact Mitel Product Support. Revision History Version Date Description 1.0 2025-06-11 Initial release Publisher and Legal Disclaimer Publisher: Mitel PSIRT / [email protected] The information provided in this advisory is provided "as is" without warranty of any kind. The information is subject to change without notice. Mitel and its affiliates do not guarantee and accept no legal liability whatsoever arising from or connected to the accuracy, reliability, currency or completeness of the information provided. No part of this document can be reproduced or transmitted in any form or by any means - electronic or mechanical - for any purpose without written permission from Mitel Networks Corporation. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================