Filtered by vendor Mitel Subscriptions
Total 131 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-37570 1 Mitel 4 6869i Sip, 6869i Sip Firmware, Rev00 6868i and 1 more 2024-11-21 8.8 High
On Mitel 6869i 4.5.0.41 devices, the Manual Firmware Update (upgrade.html) page does not perform sanitization on the username and path parameters (sent by an authenticated user) before appending flags to the busybox ftpget command. This leads to $() command execution.
CVE-2024-37569 1 Mitel 3 6869i Firmware, 6869i Sip, 6869i Sip Firmware 2024-11-21 8.3 High
An issue was discovered on Mitel 6869i through 4.5.0.41 and 5.x through 5.0.0.1018 devices. A command injection vulnerability exists in the hostname parameter taken in by the provis.html endpoint. The provis.html endpoint performs no sanitization on the hostname parameter (sent by an authenticated user), which is subsequently written to disk. During boot, the hostname parameter is executed as part of a series of shell commands. Attackers can achieve remote code execution in the root context by placing shell metacharacters in the hostname parameter.
CVE-2024-31967 1 Mitel 3 6800 Series Sip Phones, 6900 Series Sip Phones, 6970 Conference Unit 2024-11-21 9.1 Critical
A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an unauthenticated attacker to conduct an unauthorized access attack due to improper access control. A successful exploit could allow an attacker to gain unauthorized access to user information or the system configuration.
CVE-2024-31966 1 Mitel 4 6800 Series Firmware, 6900 Series Firmware, 6900w Series Firmware and 1 more 2024-11-21 6.2 Medium
A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an authenticated attacker with administrative privilege to conduct an argument injection attack due to insufficient parameter sanitization. A successful exploit could allow an attacker to access sensitive information, modify system configuration or execute arbitrary commands.
CVE-2024-31965 1 Mitel 2 6800 Series Sip Phones, 6900 Series Sip Phones 2024-11-21 4.2 Medium
A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an authenticated attacker with administrative privilege to conduct a path traversal attack due to insufficient input validation. A successful exploit could allow an attacker to access sensitive information.
CVE-2024-31964 1 Mitel 3 6800 Series Sip Phones, 6900w Series Sip Phone, 6970 Conference Unit 2024-11-21 7.5 High
A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an unauthenticated attacker to conduct an authentication bypass attack due to improper authentication control. A successful exploit could allow an attacker to modify system configuration settings and potentially cause a denial of service.
CVE-2024-31963 1 Mitel 4 6800 Series Sip Phones, 6900 Series Sip Phones, 6900w Series Sip Phone and 1 more 2024-11-21 6.4 Medium
A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an authenticated attacker to conduct a buffer overflow attack due to insufficient bounds checking and input sanitization. A successful exploit could allow an attacker to gain access to sensitive information, modify system configuration or execute arbitrary commands within the context of the system.
CVE-2024-30157 1 Mitel 1 Micollab 2024-11-21 7.2 High
A vulnerability in the Suite Applications Services component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a SQL Injection attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary database and management operations.
CVE-2024-28815 1 Mitel 2 Cmg Suite, Inattend 2024-11-21 9.8 Critical
A vulnerability in the BluStar component of Mitel InAttend 2.6 SP4 through 2.7 and CMG 8.5 SP4 through 8.6 could allow access to sensitive information, changes to the system configuration, or execution of arbitrary commands within the context of the system.
CVE-2023-40266 1 Mitel 1 Unify Openscape Xpressions Webassistant 2024-11-21 9.8 Critical
An issue was discovered in Atos Unify OpenScape Xpressions WebAssistant V7 before V7R1 FR5 HF42 P911. It allows path traversal.
CVE-2023-40265 1 Mitel 1 Unify Openscape Xpressions Webassistant 2024-11-21 8.8 High
An issue was discovered in Atos Unify OpenScape Xpressions WebAssistant V7 before V7R1 FR5 HF42 P911. It allows authenticated remote code execution via file upload.
CVE-2023-39293 1 Mitel 3 Mivoice Office 400, Mivoice Office 400 Smb Controller, Mivoice Office 400 Smb Controller Firmware 2024-11-21 9.8 Critical
A Command Injection vulnerability has been identified in the MiVoice Office 400 SMB Controller through 1.2.5.23 which could allow a malicious actor to execute arbitrary commands within the context of the system.
CVE-2023-39292 1 Mitel 3 Mivoice Office 400, Mivoice Office 400 Smb Controller, Mivoice Office 400 Smb Controller Firmware 2024-11-21 9.8 Critical
A SQL Injection vulnerability has been identified in the MiVoice Office 400 SMB Controller through 1.2.5.23 which could allow a malicious actor to access sensitive information and execute arbitrary database and management operations.
CVE-2023-39291 1 Mitel 1 Mivoice Connect 2024-11-21 4.9 Medium
A vulnerability in the Connect Mobility Router component of MiVoice Connect through 9.6.2304.102 could allow an authenticated attacker with elevated privileges to conduct an information disclosure attack due to improper configuration. A successful exploit could allow an attacker to view system information.
CVE-2023-39290 1 Mitel 1 Mivoice Connect 2024-11-21 4.9 Medium
A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through R19.3 SP3 (22.24.5800.0) could allow an authenticated attacker with elevated privileges to conduct an information disclosure attack due to improper configuration. A successful exploit could allow an attacker to view system information.
CVE-2023-39289 1 Mitel 1 Mivoice Connect 2024-11-21 7.5 High
A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2208.101 could allow an unauthenticated attacker to conduct an account enumeration attack due to improper configuration. A successful exploit could allow an attacker to access system information.
CVE-2023-39288 1 Mitel 1 Mivoice Connect 2024-11-21 5.5 Medium
A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2304.102 could allow an authenticated attacker with elevated privileges and internal network access to conduct a command argument injection due to insufficient parameter sanitization. A successful exploit could allow an attacker to access network information and to generate excessive network traffic.
CVE-2023-39287 1 Mitel 1 Mivoice Connect 2024-11-21 5.5 Medium
A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 SP3 (22.24.5800.0) could allow an authenticated attacker with elevated privileges and internal network access to conduct a command argument injection due to insufficient parameter sanitization. A successful exploit could allow an attacker to access network information and to generate excessive network traffic.
CVE-2023-39286 1 Mitel 1 Connect Mobility Router 2024-11-21 4.3 Medium
A vulnerability in the Connect Mobility Router component of Mitel MiVoice Connect through 9.6.2304.102 could allow an unauthenticated attacker to perform a Cross Site Request Forgery (CSRF) attack due to insufficient request validation. A successful exploit could allow an attacker to provide a modified URL, potentially enabling them to modify system configuration settings.
CVE-2023-39285 1 Mitel 1 Mivoice Connect 2024-11-21 4.3 Medium
A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 SP3 (22.24.5800.0) could allow an unauthenticated attacker to perform a Cross Site Request Forgery (CSRF) attack due to insufficient request validation. A successful exploit could allow an attacker to provide a modified URL, potentially enabling them to modify system configuration settings.