CVE-2018-9104

Name of the Vulnerable Software and Affected Versions Mitel MiVoice Connect versions R1707-PREM SP1 (21.84.5535.0) and earlier Mitel ST 14.2 versions GA27 (19.49.5200.0) and earlier

Description A reflected cross-site scripting (XSS) attack is possible due to insufficient validation for the "api.php" page. This could allow an unauthenticated attacker to execute arbitrary scripts.

Recommendations For Mitel MiVoice Connect versions R1707-PREM SP1 (21.84.5535.0) and earlier, update to a version later than R1707-PREM SP1 (21.84.5535.0) to resolve the issue. For Mitel ST 14.2 versions GA27 (19.49.5200.0) and earlier, update to a version later than GA27 (19.49.5200.0) to resolve the issue. As a temporary workaround, consider restricting access to the "api.php" page until a patch is available.