Filtered by vendor Mitel
Subscriptions
Total
132 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-41710 | 1 Mitel | 31 6863i Sip, 6863i Sip Firmware, 6865i Sip and 28 more | 2025-02-18 | 6.8 Medium |
| A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit, through R6.4.0.HF1 (R6.4.0.136) could allow an authenticated attacker with administrative privilege to conduct an argument injection attack, due to insufficient parameter sanitization during the boot process. A successful exploit could allow an attacker to execute arbitrary commands within the context of the system. | ||||
| CVE-2023-25597 | 1 Mitel | 1 Micollab | 2025-02-07 | 5.9 Medium |
| A vulnerability in the web conferencing component of Mitel MiCollab through 9.6.2.9 could allow an unauthenticated attacker to download a shared file via a crafted request - including the exact path and filename - due to improper authentication control. A successful exploit could allow access to sensitive information. | ||||
| CVE-2022-41223 | 1 Mitel | 1 Mivoice Connect | 2025-02-07 | 6.8 Medium |
| The Director database component of MiVoice Connect through 19.3 (22.22.6100.0) could allow an authenticated attacker to conduct a code-injection attack via crafted data due to insufficient restrictions on the database data type. | ||||
| CVE-2014-0160 | 13 Broadcom, Canonical, Debian and 10 more | 37 Symantec Messaging Gateway, Ubuntu Linux, Debian Linux and 34 more | 2025-02-07 | 7.5 High |
| The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. | ||||
| CVE-2022-40765 | 1 Mitel | 1 Mivoice Connect | 2025-02-04 | 6.8 Medium |
| A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 (22.22.6100.0) could allow an authenticated attacker with internal network access to conduct a command-injection attack, due to insufficient restriction of URL parameters. | ||||
| CVE-2023-31460 | 1 Mitel | 1 Mivoice Connect | 2025-01-31 | 7.2 High |
| A vulnerability in the Connect Mobility Router component of MiVoice Connect versions 9.6.2208.101 and earlier could allow an authenticated attacker with internal network access to conduct a command injection attack due to insufficient restriction on URL parameters. | ||||
| CVE-2023-31459 | 1 Mitel | 1 Mivoice Connect | 2025-01-31 | 8.8 High |
| A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect versions 9.6.2208.101 and earlier could allow an unauthenticated attacker with internal network access to authenticate with administrative privileges, because the initial installation does not enforce a password change. A successful exploit could allow an attacker to make arbitrary configuration changes and execute arbitrary commands. | ||||
| CVE-2023-31458 | 1 Mitel | 1 Mivoice Connect | 2025-01-31 | 9.8 Critical |
| A vulnerability in the Edge Gateway component of Mitel MiVoice Connect versions 19.3 SP2 (22.24.1500.0) and earlier could allow an unauthenticated attacker with internal network access to authenticate with administrative privileges, because initial installation does not enforce a password change. A successful exploit could allow an attacker to make arbitrary configuration changes and execute arbitrary commands. | ||||
| CVE-2023-31457 | 1 Mitel | 1 Mivoice Connect | 2025-01-31 | 9.8 Critical |
| A vulnerability in the Headquarters server component of Mitel MiVoice Connect versions 19.3 SP2 (22.24.1500.0) and earlier could allow an unauthenticated attacker with internal network access to execute arbitrary scripts due to improper access control. | ||||
| CVE-2022-29499 | 1 Mitel | 1 Mivoice Connect | 2025-01-29 | 9.8 Critical |
| The Service Appliance component in Mitel MiVoice Connect through 19.2 SP3 allows remote code execution because of incorrect data validation. The Service Appliances are SA 100, SA 400, and Virtual SA. | ||||
| CVE-2022-26143 | 1 Mitel | 2 Micollab, Mivoice Business Express | 2025-01-29 | 9.8 Critical |
| The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic). This was exploited in the wild in February and March 2022 for the TP240PhoneHome DDoS attack. | ||||
| CVE-2023-25598 | 1 Mitel | 1 Mivoice Connect | 2025-01-17 | 6.1 Medium |
| A vulnerability in the conferencing component of Mitel MiVoice Connect through 19.3 SP2 and 20.x, 21.x, and 22.x through 22.24.1500.0 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the home.php page. A successful exploit could allow an attacker to execute arbitrary scripts. | ||||
| CVE-2023-25599 | 1 Mitel | 1 Mivoice Connect | 2025-01-16 | 7.4 High |
| A vulnerability in the conferencing component of Mitel MiVoice Connect through 19.3 SP2, 22.24.1500.0 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient validation for the test_presenter.php page. A successful exploit could allow an attacker to execute arbitrary scripts. | ||||
| CVE-2024-55550 | 1 Mitel | 1 Micollab | 2025-01-11 | 4.4 Medium |
| Mitel MiCollab through 9.8 SP2 could allow an authenticated attacker with administrative privilege to conduct a local file read, due to insufficient input sanitization. A successful exploit could allow the authenticated admin attacker to access resources that are constrained to the admin access level, and the disclosure is limited to non-sensitive system information. This vulnerability does not allow file modification or privilege escalation. | ||||
| CVE-2024-41713 | 1 Mitel | 1 Micollab | 2025-01-11 | 9.1 Critical |
| A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to insufficient input validation. A successful exploit could allow unauthorized access, enabling the attacker to view, corrupt, or delete users' data and system configurations. | ||||
| CVE-2024-35314 | 1 Mitel | 2 Micollab, Mivoice Business Solutions Virtual Instance | 2025-01-09 | N/A |
| A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit requires user interaction and could allow an attacker to execute arbitrary scripts. | ||||
| CVE-2024-35286 | 1 Mitel | 1 Micollab | 2024-12-10 | 9.8 Critical |
| A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input. A successful exploit could allow an attacker to access sensitive information and execute arbitrary database and management operations. | ||||
| CVE-2024-30160 | 1 Mitel | 1 Micollab | 2024-12-05 | 4.8 Medium |
| A vulnerability in the Suite Applications Services component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a Stored Cross-Site Scripting (XSS) attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary scripts. | ||||
| CVE-2024-30159 | 1 Mitel | 1 Micollab | 2024-12-05 | 4.8 Medium |
| A vulnerability in the web conferencing component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a Stored Cross-Site Scripting (XSS) attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary scripts. | ||||
| CVE-2024-37570 | 1 Mitel | 4 6869i Sip, 6869i Sip Firmware, Rev00 6868i and 1 more | 2024-11-21 | 8.8 High |
| On Mitel 6869i 4.5.0.41 devices, the Manual Firmware Update (upgrade.html) page does not perform sanitization on the username and path parameters (sent by an authenticated user) before appending flags to the busybox ftpget command. This leads to $() command execution. | ||||