cvelistv5 - CVE-2024-30159

CVE-2024-30159 (GCVE-0-2024-30159)

Vulnerability from cvelistv5 – Published: 2024-10-21 00:00 – Updated: 2025-03-22 14:45

Summary

A vulnerability in the web conferencing component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a Stored Cross-Site Scripting (XSS) attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary scripts.

Severity ?

4.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE

Assigner

mitre

References

URL

Tags

https://www.mitel.com/support/security-advisories…

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 4.8,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "HIGH",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-30159",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-22T13:59:11.032349Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-79",
                "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-22T14:45:55.462Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the web conferencing component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a Stored Cross-Site Scripting (XSS) attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary scripts."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-21T20:46:54.192Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0005"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2024-30159",
    "datePublished": "2024-10-21T00:00:00.000Z",
    "dateReserved": "2024-03-24T00:00:00.000Z",
    "dateUpdated": "2025-03-22T14:45:55.462Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mitel:micollab:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"9.7.1.110\", \"matchCriteriaId\": \"00AF6EAC-B97B-468A-AE23-625321787BCA\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A vulnerability in the web conferencing component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a Stored Cross-Site Scripting (XSS) attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary scripts.\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad en el componente de conferencias web de Mitel MiCollab hasta la versi\\u00f3n 9.7.1.110 podr\\u00eda permitir que un atacante autenticado con privilegios administrativos realice un ataque de Cross Site Scripting (XSS) almacenado debido a una validaci\\u00f3n insuficiente de la entrada del usuario. Una explotaci\\u00f3n exitosa podr\\u00eda permitir que un atacante ejecute secuencias de comandos arbitrarias.\"}]",
      "id": "CVE-2024-30159",
      "lastModified": "2024-10-25T16:30:47.127",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.7, \"impactScore\": 2.7}]}",
      "published": "2024-10-21T21:15:05.073",
      "references": "[{\"url\": \"https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0005\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-30159\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2024-10-21T21:15:05.073\",\"lastModified\":\"2025-03-22T15:15:37.173\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in the web conferencing component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a Stored Cross-Site Scripting (XSS) attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary scripts.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad en el componente de conferencias web de Mitel MiCollab hasta la versi\u00f3n 9.7.1.110 podr\u00eda permitir que un atacante autenticado con privilegios administrativos realice un ataque de Cross Site Scripting (XSS) almacenado debido a una validaci\u00f3n insuficiente de la entrada del usuario. Una explotaci\u00f3n exitosa podr\u00eda permitir que un atacante ejecute secuencias de comandos arbitrarias.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.7,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mitel:micollab:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"9.7.1.110\",\"matchCriteriaId\":\"00AF6EAC-B97B-468A-AE23-625321787BCA\"}]}]}],\"references\":[{\"url\":\"https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0005\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-30159\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-22T13:59:11.032349Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-22T13:59:16.660Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"n/a\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\"}]}], \"references\": [{\"url\": \"https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0005\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability in the web conferencing component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a Stored Cross-Site Scripting (XSS) attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary scripts.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"n/a\"}]}], \"providerMetadata\": {\"orgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"shortName\": \"mitre\", \"dateUpdated\": \"2024-10-21T20:46:54.192Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-30159\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-22T14:45:55.462Z\", \"dateReserved\": \"2024-03-24T00:00:00.000Z\", \"assignerOrgId\": \"8254265b-2729-46b6-b9e3-3dfca2d5bfca\", \"datePublished\": \"2024-10-21T00:00:00.000Z\", \"assignerShortName\": \"mitre\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2024-AVI-0293

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Mitel MiCollab. Elles permettent à un attaquant de provoquer une exécution de code arbitraire et une injection de code indirecte à distance (XSS).

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Mitel	MiCollab	MiCollab versions antérieures à 9.8

References

Title

Publication Time

Tags

Bulletin de sécurité Mitel 24-0005 du 10 avril 2024	None	vendor-advisory
Bulletin de sécurité Mitel 24-0004 du 10 avril 2024	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "MiCollab versions ant\u00e9rieures \u00e0 9.8",
      "product": {
        "name": "MiCollab",
        "vendor": {
          "name": "Mitel",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2024-30160",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-30160"
    },
    {
      "name": "CVE-2024-30158",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-30158"
    },
    {
      "name": "CVE-2024-30157",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-30157"
    },
    {
      "name": "CVE-2024-30159",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-30159"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-0293",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-04-11T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eMitel MiCollab\u003c/span\u003e. Elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire et une injection de code\nindirecte \u00e0 distance (XSS).\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Mitel MiCollab",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Mitel 24-0005 du 10 avril 2024",
      "url": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0005"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Mitel 24-0004 du 10 avril 2024",
      "url": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0004"
    }
  ]
}

CERTFR-2024-AVI-0293

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Mitel	MiCollab	MiCollab versions antérieures à 9.8

References

Title

Publication Time

Tags

Bulletin de sécurité Mitel 24-0005 du 10 avril 2024	None	vendor-advisory
Bulletin de sécurité Mitel 24-0004 du 10 avril 2024	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "MiCollab versions ant\u00e9rieures \u00e0 9.8",
      "product": {
        "name": "MiCollab",
        "vendor": {
          "name": "Mitel",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2024-30160",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-30160"
    },
    {
      "name": "CVE-2024-30158",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-30158"
    },
    {
      "name": "CVE-2024-30157",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-30157"
    },
    {
      "name": "CVE-2024-30159",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-30159"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-0293",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-04-11T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eMitel MiCollab\u003c/span\u003e. Elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire et une injection de code\nindirecte \u00e0 distance (XSS).\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Mitel MiCollab",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Mitel 24-0005 du 10 avril 2024",
      "url": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0005"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Mitel 24-0004 du 10 avril 2024",
      "url": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0004"
    }
  ]
}

GHSA-9GV8-656M-XPVM

Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2024-10-25 18:30

Details

Severity ?

4.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-30159"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T21:15:05Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the web conferencing component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a Stored Cross-Site Scripting (XSS) attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary scripts.",
  "id": "GHSA-9gv8-656m-xpvm",
  "modified": "2024-10-25T18:30:48Z",
  "published": "2024-10-21T21:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30159"
    },
    {
      "type": "WEB",
      "url": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0005"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

FKIE_CVE-2024-30159

Vulnerability from fkie_nvd - Published: 2024-10-21 21:15 - Updated: 2025-03-22 15:15

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	cve@mitre.org	https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0005	Vendor Advisory

Impacted products

	Vendor	Product	Version
	mitel	micollab	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mitel:micollab:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "00AF6EAC-B97B-468A-AE23-625321787BCA",
              "versionEndIncluding": "9.7.1.110",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in the web conferencing component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a Stored Cross-Site Scripting (XSS) attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary scripts."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad en el componente de conferencias web de Mitel MiCollab hasta la versi\u00f3n 9.7.1.110 podr\u00eda permitir que un atacante autenticado con privilegios administrativos realice un ataque de Cross Site Scripting (XSS) almacenado debido a una validaci\u00f3n insuficiente de la entrada del usuario. Una explotaci\u00f3n exitosa podr\u00eda permitir que un atacante ejecute secuencias de comandos arbitrarias."
    }
  ],
  "id": "CVE-2024-30159",
  "lastModified": "2025-03-22T15:15:37.173",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-10-21T21:15:05.073",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0005"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}

WID-SEC-W-2024-0852

Vulnerability from csaf_certbund - Published: 2024-04-10 22:00 - Updated: 2024-04-10 22:00

Summary

Mitel MiCollab: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

MiCollab ist eine Kommunikationssuite von Mitel für die Zusammenarbeit in Echtzeit.

Angriff

Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Mitel MiCollab ausnutzen, um Daten zu manipulieren oder einen Cross-Site-Scripting-Angriff durchzuführen.

Betroffene Betriebssysteme

- Linux - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "MiCollab ist eine Kommunikationssuite von Mitel f\u00fcr die Zusammenarbeit in Echtzeit.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Mitel MiCollab ausnutzen, um Daten zu manipulieren oder einen Cross-Site-Scripting-Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-0852 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0852.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-0852 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0852"
      },
      {
        "category": "external",
        "summary": "Mitel Product Security Advisory vom 2024-04-10",
        "url": "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-24-0004"
      },
      {
        "category": "external",
        "summary": "Mitel Product Security Advisory vom 2024-04-10",
        "url": "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-24-0005"
      }
    ],
    "source_lang": "en-US",
    "title": "Mitel MiCollab: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2024-04-10T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:07:35.866+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-0852",
      "initial_release_date": "2024-04-10T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-04-10T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c9.8",
                "product": {
                  "name": "Mitel MiCollab \u003c9.8",
                  "product_id": "T034088"
                }
              }
            ],
            "category": "product_name",
            "name": "MiCollab"
          }
        ],
        "category": "vendor",
        "name": "Mitel"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-30157",
      "notes": [
        {
          "category": "description",
          "text": "In Mitel MiCollab existieren mehrere Schwachstellen. Diese sind auf Anf\u00e4lligkeiten f\u00fcr SQL-Injections zur\u00fcckzuf\u00fchren. Ein entfernter, authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Daten zu manipulieren."
        }
      ],
      "release_date": "2024-04-10T22:00:00.000+00:00",
      "title": "CVE-2024-30157"
    },
    {
      "cve": "CVE-2024-30158",
      "notes": [
        {
          "category": "description",
          "text": "In Mitel MiCollab existieren mehrere Schwachstellen. Diese sind auf Anf\u00e4lligkeiten f\u00fcr SQL-Injections zur\u00fcckzuf\u00fchren. Ein entfernter, authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Daten zu manipulieren."
        }
      ],
      "release_date": "2024-04-10T22:00:00.000+00:00",
      "title": "CVE-2024-30158"
    },
    {
      "cve": "CVE-2024-30159",
      "notes": [
        {
          "category": "description",
          "text": "In Mitel MiCollab existieren mehrere Cross-Site Scripting Schwachstellen. HTML und Script-Eingaben werden nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter, anonymer Angreifer kann durch Ausnutzung dieser Schwachstellen beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
        }
      ],
      "release_date": "2024-04-10T22:00:00.000+00:00",
      "title": "CVE-2024-30159"
    },
    {
      "cve": "CVE-2024-30160",
      "notes": [
        {
          "category": "description",
          "text": "In Mitel MiCollab existieren mehrere Cross-Site Scripting Schwachstellen. HTML und Script-Eingaben werden nicht ordnungsgem\u00e4\u00df \u00fcberpr\u00fcft, bevor sie an den Benutzer zur\u00fcckgegeben werden. Ein entfernter, anonymer Angreifer kann durch Ausnutzung dieser Schwachstellen beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausf\u00fchren. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich."
        }
      ],
      "release_date": "2024-04-10T22:00:00.000+00:00",
      "title": "CVE-2024-30160"
    }
  ]
}

CNVD-2024-42929

Vulnerability from cnvd - Published: 2024-11-04

Title

Mitel MiCollab跨站脚本漏洞（CNVD-2024-42929）

Description

Mitel MiCollab是加拿大敏迪（Mitel）公司的一款为员工提供语音、视频、消息、音频会议和团队协作的移动应用程序。 Mitel MiCollab存在跨站脚本漏洞，攻击者可利用该漏洞注入恶意脚本或HTML代码。

Severity

中

Patch Name

Mitel MiCollab跨站脚本漏洞（CNVD-2024-42929）的补丁

Patch Description

Mitel MiCollab是加拿大敏迪（Mitel）公司的一款为员工提供语音、视频、消息、音频会议和团队协作的移动应用程序。 Mitel MiCollab存在跨站脚本漏洞，攻击者可利用该漏洞注入恶意脚本或HTML代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0005

Reference

https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0005

Impacted products

Name
Mitel MiCollab <=9.7.1.110

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2024-30159",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2024-30159"
    }
  },
  "description": "Mitel MiCollab\u662f\u52a0\u62ff\u5927\u654f\u8fea\uff08Mitel\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u4e3a\u5458\u5de5\u63d0\u4f9b\u8bed\u97f3\u3001\u89c6\u9891\u3001\u6d88\u606f\u3001\u97f3\u9891\u4f1a\u8bae\u548c\u56e2\u961f\u534f\u4f5c\u7684\u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u3002\n\nMitel MiCollab\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u6076\u610f\u811a\u672c\u6216HTML\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0005",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2024-42929",
  "openTime": "2024-11-04",
  "patchDescription": "Mitel MiCollab\u662f\u52a0\u62ff\u5927\u654f\u8fea\uff08Mitel\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u4e3a\u5458\u5de5\u63d0\u4f9b\u8bed\u97f3\u3001\u89c6\u9891\u3001\u6d88\u606f\u3001\u97f3\u9891\u4f1a\u8bae\u548c\u56e2\u961f\u534f\u4f5c\u7684\u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nMitel MiCollab\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u6076\u610f\u811a\u672c\u6216HTML\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Mitel MiCollab\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2024-42929\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Mitel MiCollab \u003c=9.7.1.110"
  },
  "referenceLink": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0005",
  "serverity": "\u4e2d",
  "submitTime": "2024-10-28",
  "title": "Mitel MiCollab\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2024-42929\uff09"
}

GSD-2024-30159

Vulnerability from gsd - Updated: 2024-04-03 05:02

Details

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Aliases

CVE-2024-30159

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-30159"
      ],
      "id": "GSD-2024-30159",
      "modified": "2024-04-03T05:02:29.193766Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2024-30159",
        "STATE": "RESERVED"
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
          }
        ]
      }
    }
  }
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-30159 (GCVE-0-2024-30159)

CERTFR-2024-AVI-0293

Solution

CERTFR-2024-AVI-0293

Solution

GHSA-9GV8-656M-XPVM

FKIE_CVE-2024-30159

WID-SEC-W-2024-0852

CNVD-2024-42929

GSD-2024-30159

Tags

Sightings

Nomenclature