Jahmil Williams

**Name of the Vulnerable Software and Affected Versions** Mitel MiVoice Connect versions through 9.6.2304.102 **Description** A vulnerability in the Connect Mobility Router component could allow an unauthenticated attacker to perform a Cross Site Request Forgery (CSRF) attack due to insufficient request validation. A successful exploit could allow an attacker to provide a modified URL, potentially enabling them to modify system configuration settings. **Recommendations** For versions through 9.6.2304.102, update to a version that addresses the insufficient request validation issue in the Connect Mobility Router component to prevent Cross Site Request Forgery (CSRF) attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mitel MiVoice Connect versions through 19.3 SP3 (22.24.5800.0) **Description** A vulnerability in the Edge Gateway component could allow an unauthenticated attacker to perform a Cross Site Request Forgery (CSRF) attack due to insufficient request validation. A successful exploit could allow an attacker to provide a modified URL, potentially enabling them to modify system configuration settings. **Recommendations** For versions through 19.3 SP3 (22.24.5800.0), consider implementing additional validation for incoming requests to prevent CSRF attacks. As a temporary workaround, restrict access to system configuration settings until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mitel MiVoice Connect versions through 9.6.2208.101 **Description** A vulnerability in the Connect Mobility Router component could allow an unauthenticated attacker to conduct an account enumeration attack due to improper configuration. A successful exploit could allow an attacker to access system information. **Recommendations** For versions through 9.6.2208.101, update to a version later than 9.6.2208.101 to resolve the issue. As a temporary workaround, consider restricting access to the Connect Mobility Router component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MiVoice Connect versions through 9.6.2304.102 **Description** A vulnerability in the Connect Mobility Router component could allow an authenticated attacker with elevated privileges to conduct an information disclosure attack due to improper configuration. A successful exploit could allow an attacker to view system information. **Recommendations** For MiVoice Connect versions through 9.6.2304.102, consider reconfiguring the Connect Mobility Router component to prevent information disclosure attacks. As a temporary workaround, restrict access to system information until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mitel MiVoice Connect versions through 9.6.2304.102 **Description** A vulnerability in the Connect Mobility Router component could allow an authenticated attacker with elevated privileges and internal network access to conduct a command argument injection due to insufficient parameter sanitization. A successful exploit could allow an attacker to access network information and to generate excessive network traffic. **Recommendations** For Mitel MiVoice Connect versions through 9.6.2304.102, consider updating to a version that addresses the command argument injection issue in the Connect Mobility Router component to prevent exploitation. As a temporary workaround, restrict internal network access and ensure that only authorized personnel have elevated privileges to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mitel MiVoice Connect versions through R19.3 SP3 (22.24.5800.0) **Description** A vulnerability in the Edge Gateway component could allow an authenticated attacker with elevated privileges to conduct an information disclosure attack due to improper configuration. A successful exploit could allow an attacker to view system information. **Recommendations** For versions through R19.3 SP3 (22.24.5800.0), consider updating to a version later than R19.3 SP3 (22.24.5800.0) to resolve the issue. As a temporary workaround, restrict access to the Edge Gateway component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mitel MiVoice Connect versions through 19.3 SP3 (22.24.5800.0) **Description** A vulnerability in the Edge Gateway component could allow an authenticated attacker with elevated privileges and internal network access to conduct a command argument injection due to insufficient parameter sanitization. A successful exploit could allow an attacker to access network information and to generate excessive network traffic. **Recommendations** For Mitel MiVoice Connect versions through 19.3 SP3 (22.24.5800.0), consider disabling the Edge Gateway component until a patch is available to prevent command argument injection attacks. Restrict internal network access to minimize the risk of exploitation. Avoid using the Edge Gateway component for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mitel MiVoice Connect versions 9.6.2208.101 and earlier **Description** A vulnerability in the Connect Mobility Router component could allow an unauthenticated attacker with internal network access to authenticate with administrative privileges. This is because the initial installation does not enforce a password change. A successful exploit could allow an attacker to make arbitrary configuration changes and execute arbitrary commands. **Recommendations** For Mitel MiVoice Connect versions 9.6.2208.101 and earlier, ensure that a strong password is set for administrative access after the initial installation to prevent unauthorized access. Consider changing the default password to a unique and complex one to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MiVoice Connect versions 9.6.2208.101 and earlier **Description** A vulnerability in the Connect Mobility Router component could allow an authenticated attacker with internal network access to conduct a command injection attack due to insufficient restriction on URL parameters. **Recommendations** For versions 9.6.2208.101 and earlier, update to a version later than 9.6.2208.101 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mitel MiVoice Connect versions 19.3 SP2 (22.24.1500.0) and earlier **Description** A vulnerability in the Headquarters server component could allow an unauthenticated attacker with internal network access to execute arbitrary scripts due to improper access control. **Recommendations** For versions 19.3 SP2 (22.24.1500.0) and earlier, update to a version later than 19.3 SP2 (22.24.1500.0) to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mitel MiVoice Connect versions through 19.3 SP2 (22.24.1500.0) **Description** The Linux DVS server component could allow an unauthenticated attacker with internal network access to execute arbitrary scripts due to improper access control. **Recommendations** For versions through 19.3 SP2 (22.24.1500.0), update to a version later than 19.3 SP2 (22.24.1500.0) to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mitel MiVoice Connect versions 19.3 SP2 (22.24.1500.0) and earlier **Description** A vulnerability in the Edge Gateway component could allow an unauthenticated attacker with internal network access to authenticate with administrative privileges, because initial installation does not enforce a password change. A successful exploit could allow an attacker to make arbitrary configuration changes and execute arbitrary commands. **Recommendations** For versions 19.3 SP2 (22.24.1500.0) and earlier, ensure that a strong password is set for administrative access after initial installation to prevent exploitation. As a temporary workaround, consider restricting access to the Edge Gateway component until a patch is available. Avoid using default or weak passwords for administrative accounts in the affected versions.