Noel Sofley

**Name of the Vulnerable Software and Affected Versions** Mitel MiVoice Office 400 versions R5.0 HF3 (v8839a1) and earlier **Description** A vulnerability in the web admin component could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack, due to insufficient validation for the "start.asp" page. A successful exploit could allow the attacker to execute arbitrary scripts to access sensitive browser-based information. **Recommendations** For Mitel MiVoice Office 400 versions R5.0 HF3 (v8839a1) and earlier, consider restricting access to the start.asp page until a patch is available. As a temporary workaround, avoid using the start.asp page in the web admin component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.