Security updates for a critical vulnerability in MiVoice MX-ONE systems were unveiled by Mitel, reports The Hacker News.
The authentication bypass flaw, which carries a Common Vulnerability Scoring System score of 9.4 out of 10.0, was found in the Provisioning Manager component of MiVoice systems and affects versions 7.3 to 7.8 Service Pack 1 (SP1). If successfully exploited, this could allow attackers to execute "an authentication bypass attack due to improper access control" and "gain unauthorizes access to user or admin accounts in the system," the company said. MXO-15711_78SP0 and MXO-15711_78SP1 for MX-ONE versions 7.8 and 7.8 SP1 received the security updates. Meanwhile, users of version 7.3 and later are encouraged to submit a request for patches to their authorized service partner. Mitel also released updates to a MiCollab vulnerability, which could allow an authenticated attacker to execute an SQL injection attack if exploited. "A successful exploit could allow an attacker to access user provisioning information and execute arbitrary SQL database commands with potential impacts on the confidentiality, integrity, and availability of the system," according to the company.
The authentication bypass flaw, which carries a Common Vulnerability Scoring System score of 9.4 out of 10.0, was found in the Provisioning Manager component of MiVoice systems and affects versions 7.3 to 7.8 Service Pack 1 (SP1). If successfully exploited, this could allow attackers to execute "an authentication bypass attack due to improper access control" and "gain unauthorizes access to user or admin accounts in the system," the company said. MXO-15711_78SP0 and MXO-15711_78SP1 for MX-ONE versions 7.8 and 7.8 SP1 received the security updates. Meanwhile, users of version 7.3 and later are encouraged to submit a request for patches to their authorized service partner. Mitel also released updates to a MiCollab vulnerability, which could allow an authenticated attacker to execute an SQL injection attack if exploited. "A successful exploit could allow an attacker to access user provisioning information and execute arbitrary SQL database commands with potential impacts on the confidentiality, integrity, and availability of the system," according to the company.
