CVE-2024-35314 - Vulnerability Details

A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit requires user interaction and could allow an attacker to execute arbitrary scripts.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.03836.

Exploitation none

Automatable no

Technical Impact total

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:mitel:micollab::::::::
	cpe:2.3:a:mitel:mivoice_business_solution_virtual_instance:1.0.0.25:::::::*

No data.

Subscriptions

Vendors	Products
Mitel Subscribe	Micollab Subscribe Mivoice Business Solution Virtual Instance Subscribe Mivoice Business Solutions Virtual Instance Subscribe

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.mitel.com/-/media/mitel/file/pdf/support/security-advisories/security-bulletin_24-0015-001-v3.pdf
https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0015

History

Mon, 07 Jul 2025 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mitel mivoice Business Solution Virtual Instance
CPEs		cpe:2.3:a:mitel:micollab:::::::: cpe:2.3:a:mitel:mivoice_business_solution_virtual_instance:1.0.0.25:::::::*
Vendors & Products		Mitel mivoice Business Solution Virtual Instance

Tue, 25 Mar 2025 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-94
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 09 Jan 2025 18:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-94
Metrics	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 08 Nov 2024 18:15:00 +0000

Type	Values Removed	Values Added
Description	A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit could allow an attacker to execute arbitrary scripts.	A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit requires user interaction and could allow an attacker to execute arbitrary scripts.
References		https://www.mitel.com/-/media/mitel/file/pdf/support/security-advisories/security-bulletin_24-0015-001-v3.pdf

Tue, 22 Oct 2024 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mitel Mitel micollab Mitel mivoice Business Solutions Virtual Instance
Weaknesses		CWE-94
CPEs		cpe:2.3:a:mitel:micollab:-:::::-:: cpe:2.3:a:mitel:mivoice_business_solutions_virtual_instance::::::::
Vendors & Products		Mitel Mitel micollab Mitel mivoice Business Solutions Virtual Instance
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 21 Oct 2024 21:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit could allow an attacker to execute arbitrary scripts.
References		https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0015

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-10-21T00:00:00.000Z

Updated: 2025-03-25T14:14:25.141Z

Reserved: 2024-05-17T00:00:00.000Z

Link: CVE-2024-35314

Vulnrichment

Updated: 2024-10-22T13:52:47.448Z

NVD

Status : Analyzed

Published: 2024-10-21T21:15:05.533

Modified: 2025-07-07T17:54:52.597

Link: CVE-2024-35314

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-94

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

Tracking

JSON object

JSON object

JSON object

JSON object

JSON object