Summary
Detail | |||
---|---|---|---|
Vendor | Mitel | First view | 2014-04-07 |
Product | Micollab | Last view | 2023-04-14 |
Version | Type | ||
Update | |||
Edition | |||
Language | |||
Sofware Edition | |||
Target Software | |||
Target Hardware | |||
Other |
Activity : Overall
COMMON PLATFORM ENUMERATION: Repartition per Version
Related : CVE
Date | Alert | Description | |
---|---|---|---|
5.9 | 2023-04-14 | CVE-2023-25597 | A vulnerability in the web conferencing component of Mitel MiCollab through 9.6.2.9 could allow an unauthenticated attacker to download a shared file via a crafted request - including the exact path and filename - due to improper authentication control. A successful exploit could allow access to sensitive information. |
9.8 | 2022-11-22 | CVE-2022-41326 | The web conferencing component of Mitel MiCollab through 9.6.0.13 could allow an unauthenticated attacker to upload arbitrary scripts due to improper authorization controls. A successful exploit could allow remote code execution within the context of the application. |
6.5 | 2022-10-25 | CVE-2022-36454 | A vulnerability in the MiCollab Client API of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit could allow the authenticated attacker to impersonate another user's name. |
8.8 | 2022-10-25 | CVE-2022-36453 | A vulnerability in the MiCollab Client API of Mitel MiCollab 9.1.3 through 9.5.0.101 could allow an authenticated attacker to modify their profile parameters due to improper authorization controls. A successful exploit could allow the authenticated attacker to control another extension number. |
9.8 | 2022-10-25 | CVE-2022-36452 | A vulnerability in the web conferencing component of Mitel MiCollab through 9.5.0.101 could allow an unauthenticated attacker to upload malicious files. A successful exploit could allow an attacker to execute arbitrary code within the context of the application. |
8.8 | 2022-10-25 | CVE-2022-36451 | A vulnerability in the MiCollab Client server component of Mitel MiCollab through 9.5.0.101 could allow an authenticated attacker to conduct a Server-Side Request Forgery (SSRF) attack due to insufficient restriction of URL parameters. A successful exploit could allow an attacker to leverage connections and permissions available to the host server. |
9.8 | 2022-03-10 | CVE-2022-26143 | The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic). This was exploited in the wild in February and March 2022 for the TP240PhoneHome DDoS attack. |
6.5 | 2021-08-13 | CVE-2021-32072 | The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to get source code information (disclosing sensitive application data) due to insufficient output sanitization. A successful exploit could allow an attacker to view source code methods. |
9.8 | 2021-08-13 | CVE-2021-32071 | The MiCollab Client service in Mitel MiCollab before 9.3 could allow an unauthenticated user to gain system access due to improper access control. A successful exploit could allow an attacker to view and modify application data, and cause a denial of service for users. |
5.4 | 2021-08-13 | CVE-2021-32070 | The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to perform a clickjacking attack due to an insecure header response. A successful exploit could allow an attacker to modify the browser header and redirect users. |
4.8 | 2021-08-13 | CVE-2021-32069 | The AWV component of Mitel MiCollab before 9.3 could allow an attacker to perform a Man-In-the-Middle attack due to improper TLS negotiation. A successful exploit could allow an attacker to view and modify data. |
3.7 | 2021-08-13 | CVE-2021-32068 | The AWV and MiCollab Client Service components in Mitel MiCollab before 9.3 could allow an attacker to perform a Man-In-the-Middle attack by sending multiple session renegotiation requests, due to insufficient TLS session controls. A successful exploit could allow an attacker to modify application data and state. |
6.5 | 2021-08-13 | CVE-2021-32067 | The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to view sensitive system information through an HTTP response due to insufficient output sanitization. |
6.5 | 2021-08-13 | CVE-2021-27402 | The SAS Admin portal of Mitel MiCollab before 9.2 FP2 could allow an unauthenticated attacker to access (view and modify) user data by injecting arbitrary directory paths due to improper URL validation, aka Directory Traversal. |
6.1 | 2021-08-13 | CVE-2021-27401 | The Join Meeting page of Mitel MiCollab Web Client before 9.2 FP2 could allow an attacker to access (view and modify) user data by executing arbitrary code due to insufficient input validation, aka Cross-Site Scripting (XSS). |
9.1 | 2021-01-29 | CVE-2020-35547 | A library index page in NuPoint Messenger in Mitel MiCollab before 9.2 FP1 could allow an unauthenticated attacker to gain access (view and modify) to user data. |
6.1 | 2020-12-18 | CVE-2020-27340 | The online help portal of Mitel MiCollab before 9.2 could allow an attacker to redirect a user to an unauthorized website by executing malicious script due to insufficient access control. |
4.9 | 2020-12-18 | CVE-2020-25612 | The NuPoint Messenger of Mitel MiCollab before 9.2 could allow an attacker with escalated privilege to access user files due to insufficient access control. Successful exploit could potentially allow an attacker to gain access to sensitive information. |
6.1 | 2020-12-18 | CVE-2020-25611 | The AWV portal of Mitel MiCollab before 9.2 could allow an attacker to gain access to conference information by sending arbitrary code due to improper input validation, aka XSS. Successful exploitation could allow an attacker to view user conference information. |
5.3 | 2020-12-18 | CVE-2020-25610 | The AWV component of Mitel MiCollab before 9.2 could allow an attacker to gain access to a web conference due to insufficient access control for conference codes. |
5.4 | 2020-12-18 | CVE-2020-25609 | The NuPoint Messenger Portal of Mitel MiCollab before 9.2 could allow an authenticated attacker to execute arbitrary scripts due to insufficient input validation, aka XSS. A successful exploit could allow an attacker to view and modify user data. |
7.2 | 2020-12-18 | CVE-2020-25608 | The SAS portal of Mitel MiCollab before 9.2 could allow an attacker to access user credentials due to improper input validation, aka SQL Injection. |
6.1 | 2020-12-18 | CVE-2020-25606 | The AWV component of Mitel MiCollab before 9.2 could allow an attacker to view system information by sending arbitrary code due to improper input validation, aka XSS. |
8.1 | 2020-08-26 | CVE-2020-13863 | The SAS portal of Mitel MiCollab before 9.1.3 could allow an attacker to access user data by performing a header injection in HTTP responses, due to the improper handling of input parameters. A successful exploit could allow an attacker to access user information. |
5.9 | 2020-08-26 | CVE-2020-13767 | The Mitel MiCollab application before 9.1.332 for iOS could allow an unauthorized user to access restricted files and folders due to insufficient access control. An exploit requires a rooted iOS device, and (if successful) could allow an attacker to gain access to sensitive information, |
CWE : Common Weakness Enumeration
% | id | Name |
---|---|---|
25% (5) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
15% (3) | CWE-20 | Improper Input Validation |
10% (2) | CWE-116 | Improper Encoding or Escaping of Output |
5% (1) | CWE-770 | Allocation of Resources Without Limits or Throttling |
5% (1) | CWE-434 | Unrestricted Upload of File with Dangerous Type |
5% (1) | CWE-306 | Missing Authentication for Critical Function |
5% (1) | CWE-295 | Certificate Issues |
5% (1) | CWE-287 | Improper Authentication |
5% (1) | CWE-203 | Information Exposure Through Discrepancy |
5% (1) | CWE-125 | Out-of-bounds Read |
5% (1) | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('... |
5% (1) | CWE-74 | Failure to Sanitize Data into a Different Plane ('Injection') |
5% (1) | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path ... |
Oval Markup Language : Definitions
OvalID | Name |
---|---|
oval:org.mitre.oval:def:24324 | ELSA-2014:0376: openssl security update (Important) |
oval:org.mitre.oval:def:24241 | The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not proper... |
oval:org.mitre.oval:def:24718 | RHSA-2014:0376: openssl security update (Important) |
oval:org.mitre.oval:def:23812 | DEPRECATED: ELSA-2014:0376: openssl security update (Important) |
oval:org.mitre.oval:def:26742 | DEPRECATED: ELSA-2014-0376 -- openssl security update (Important) |
oval:org.mitre.oval:def:29321 | DSA-2896-2 -- openssl -- security update |
ExploitDB Exploits
id | Description |
---|---|
32998 | Heartbleed OpenSSL - Information Leak Exploit (2) - DTLS Support |
32791 | Heartbleed OpenSSL - Information Leak Exploit (1) |
32764 | OpenSSL 1.0.1f TLS Heartbeat Extension - Memory Disclosure (Multiple SSL/TLS ... |
32745 | OpenSSL TLS Heartbeat Extension - Memory Disclosure |
Information Assurance Vulnerability Management (IAVM)
id | Description |
---|---|
2014-A-0063 | Multiple Vulnerabilities in McAfee VirusScan Enterprise for Linux Severity: Category I - VMSKEY: V0050009 |
2014-A-0062 | Multiple Vulnerabilities In McAfee Email Gateway Severity: Category I - VMSKEY: V0050005 |
2014-B-0050 | McAfee Web Gateway Information Disclosure Vulnerability Severity: Category I - VMSKEY: V0050003 |
2014-B-0046 | Multiple Vulnerabilities in HP System Management Homepage (SMH) Severity: Category I - VMSKEY: V0049737 |
2014-A-0056 | Multiple Vulnerabilities in Oracle Java SE Severity: Category I - VMSKEY: V0049583 |
2014-A-0057 | Multiple Vulnerabilities in Oracle MySQL Products Severity: Category I - VMSKEY: V0049591 |
2014-A-0053 | Multiple Vulnerabilities in Juniper Network JUNOS Severity: Category I - VMSKEY: V0049589 |
2014-A-0054 | Multiple Vulnerabilities in Oracle Database Severity: Category I - VMSKEY: V0049587 |
2014-A-0055 | Multiple Vulnerabilities in Oracle Fusion Middleware Severity: Category I - VMSKEY: V0049585 |
2014-A-0058 | Multiple Vulnerabilities in Oracle & Sun Systems Product Suite Severity: Category I - VMSKEY: V0049579 |
2014-B-0041 | Multiple Vulnerabilities in Splunk Severity: Category I - VMSKEY: V0049577 |
2014-B-0042 | Stunnel Information Disclosure Vulnerability Severity: Category I - VMSKEY: V0049575 |
2014-A-0051 | OpenSSL Information Disclosure Vulnerability Severity: Category I - VMSKEY: V0048667 |
2014-A-0017 | Multiple Vulnerabilities in Cisco TelePresence Video Communication Server Severity: Category I - VMSKEY: V0043846 |
2014-A-0019 | Multiple Vulnerabilities in VMware Fusion Severity: Category I - VMSKEY: V0043844 |
2013-A-0222 | Multiple Vulnerabilties in VMware Workstation Severity: Category II - VMSKEY: V0042383 |
2012-A-0104 | Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client Severity: Category I - VMSKEY: V0033046 |
Snort® IPS/IDS
Date | Description |
---|---|
2014-04-25 | OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt RuleID : 30788-community - Type : SERVER-OTHER - Revision : 5 |
2014-05-24 | OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt RuleID : 30788 - Type : SERVER-OTHER - Revision : 5 |
2014-04-25 | OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt RuleID : 30787-community - Type : SERVER-OTHER - Revision : 5 |
2014-05-24 | OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt RuleID : 30787 - Type : SERVER-OTHER - Revision : 5 |
2014-04-25 | OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt RuleID : 30786-community - Type : SERVER-OTHER - Revision : 4 |
2014-05-24 | OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt RuleID : 30786 - Type : SERVER-OTHER - Revision : 4 |
2014-04-25 | OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt RuleID : 30785-community - Type : SERVER-OTHER - Revision : 4 |
2014-05-24 | OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt RuleID : 30785 - Type : SERVER-OTHER - Revision : 4 |
2014-04-25 | OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt RuleID : 30784-community - Type : SERVER-OTHER - Revision : 4 |
2014-05-24 | OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt RuleID : 30784 - Type : SERVER-OTHER - Revision : 4 |
2014-04-25 | OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt RuleID : 30783-community - Type : SERVER-OTHER - Revision : 4 |
2014-05-24 | OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt RuleID : 30783 - Type : SERVER-OTHER - Revision : 4 |
2014-04-25 | OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt RuleID : 30782-community - Type : SERVER-OTHER - Revision : 4 |
2014-05-24 | OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt RuleID : 30782 - Type : SERVER-OTHER - Revision : 4 |
2014-04-25 | OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt RuleID : 30781-community - Type : SERVER-OTHER - Revision : 5 |
2014-05-24 | OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt RuleID : 30781 - Type : SERVER-OTHER - Revision : 5 |
2014-04-25 | OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt RuleID : 30780-community - Type : SERVER-OTHER - Revision : 4 |
2014-05-24 | OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt RuleID : 30780 - Type : SERVER-OTHER - Revision : 4 |
2014-04-25 | OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt RuleID : 30779-community - Type : SERVER-OTHER - Revision : 4 |
2014-05-24 | OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt RuleID : 30779 - Type : SERVER-OTHER - Revision : 4 |
2014-04-25 | OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt RuleID : 30778-community - Type : SERVER-OTHER - Revision : 4 |
2014-05-24 | OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt RuleID : 30778 - Type : SERVER-OTHER - Revision : 4 |
2014-04-25 | OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt RuleID : 30777-community - Type : SERVER-OTHER - Revision : 4 |
2014-05-24 | OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt RuleID : 30777 - Type : SERVER-OTHER - Revision : 4 |
2014-05-17 | OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed at... RuleID : 30742 - Type : SERVER-OTHER - Revision : 2 |
Nessus® Vulnerability Scanner
id | Description |
---|---|
2019-01-10 | Name: The remote device is affected by multiple vulnerabilities. File: juniper_space_jsa10917_183R1.nasl - Type: ACT_GATHER_INFO |
2019-01-03 | Name: The remote Fedora host is missing a security update. File: fedora_2018-44f8a7454d.nasl - Type: ACT_GATHER_INFO |
2019-01-03 | Name: The remote Fedora host is missing a security update. File: fedora_2018-527698a904.nasl - Type: ACT_GATHER_INFO |
2019-01-03 | Name: The remote Fedora host is missing a security update. File: fedora_2018-5521156807.nasl - Type: ACT_GATHER_INFO |
2019-01-03 | Name: The remote Fedora host is missing a security update. File: fedora_2018-db0d3e157e.nasl - Type: ACT_GATHER_INFO |
2018-10-31 | Name: The remote host is missing a macOS security update that fixes multiple vulner... File: macosx_SecUpd_10_13_6_2018-002.nasl - Type: ACT_GATHER_INFO |
2018-10-18 | Name: The remote host is missing a macOS update that fixes multiple security vulner... File: macos_10_14.nasl - Type: ACT_GATHER_INFO |
2018-09-18 | Name: The remote EulerOS Virtualization host is missing multiple security updates. File: EulerOS_SA-2018-1265.nasl - Type: ACT_GATHER_INFO |
2018-09-18 | Name: The remote EulerOS Virtualization host is missing a security update. File: EulerOS_SA-2018-1267.nasl - Type: ACT_GATHER_INFO |
2018-09-18 | Name: The remote EulerOS Virtualization host is missing multiple security updates. File: EulerOS_SA-2018-1270.nasl - Type: ACT_GATHER_INFO |
2018-09-18 | Name: The remote EulerOS Virtualization host is missing a security update. File: EulerOS_SA-2018-1271.nasl - Type: ACT_GATHER_INFO |
2018-09-17 | Name: The remote Debian host is missing a security update. File: debian_DLA-1506.nasl - Type: ACT_GATHER_INFO |
2018-08-17 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-4273.nasl - Type: ACT_GATHER_INFO |
2018-07-30 | Name: The remote Slackware host is missing a security update. File: Slackware_SSA_2018-208-01.nasl - Type: ACT_GATHER_INFO |
2018-07-27 | Name: The remote Debian host is missing a security update. File: debian_DLA-1446.nasl - Type: ACT_GATHER_INFO |
2018-07-26 | Name: The remote Amazon Linux 2 host is missing a security update. File: al2_ALAS-2018-1049.nasl - Type: ACT_GATHER_INFO |
2018-07-24 | Name: The remote PhotonOS host is missing multiple security updates. File: PhotonOS_PHSA-2018-1_0-0151.nasl - Type: ACT_GATHER_INFO |
2018-07-24 | Name: The remote PhotonOS host is missing multiple security updates. File: PhotonOS_PHSA-2018-2_0-0049.nasl - Type: ACT_GATHER_INFO |
2018-07-20 | Name: The remote Debian host is missing a security update. File: debian_DLA-1423.nasl - Type: ACT_GATHER_INFO |
2018-07-18 | Name: The remote Virtuozzo host is missing multiple security updates. File: Virtuozzo_VZA-2018-048.nasl - Type: ACT_GATHER_INFO |
2018-07-16 | Name: The remote CentOS host is missing one or more security updates. File: centos_RHSA-2018-2162.nasl - Type: ACT_GATHER_INFO |
2018-07-16 | Name: The remote CentOS host is missing one or more security updates. File: centos_RHSA-2018-2164.nasl - Type: ACT_GATHER_INFO |
2018-07-09 | Name: The remote Fedora host is missing a security update. File: fedora_2018-9f02e5ed7b.nasl - Type: ACT_GATHER_INFO |
2018-07-05 | Name: The remote CentOS host is missing one or more security updates. File: centos_RHSA-2018-1965.nasl - Type: ACT_GATHER_INFO |
2018-07-05 | Name: The remote CentOS host is missing one or more security updates. File: centos_RHSA-2018-1997.nasl - Type: ACT_GATHER_INFO |