CVE-2018-5780

Name of the Vulnerable Software and Affected Versions Mitel Connect ONSITE versions R1711-PREM and earlier Mitel ST 14.2 release GA28 and earlier

Description A vulnerability in the conferencing component could allow an unauthenticated attacker to inject PHP code using specially crafted requests to the "vnewmeeting.php" page. Successful exploit could allow an attacker to execute arbitrary PHP code within the context of the application. The issue is related to incorrect code generation management, which may allow a remote attacker to embed arbitrary code in a generated PHP file and execute it.

Recommendations For Mitel Connect ONSITE versions R1711-PREM and earlier, consider disabling access to the "vnewmeeting.php" page until a patch is available. For Mitel ST 14.2 release GA28 and earlier, restrict access to the conferencing component to minimize the risk of exploitation.