CVE-2018-5782

Name of the Vulnerable Software and Affected Versions Mitel Connect ONSITE versions R1711-PREM and earlier Mitel ST 14.2 release GA28 and earlier

Description A vulnerability in the conferencing component could allow an unauthenticated attacker to inject PHP code using specially crafted requests to the "vsethost.php" page. Successful exploit could allow an attacker to execute arbitrary PHP code within the context of the application. The issue is related to incorrect code generation management. An attacker could exploit this vulnerability by sending specially crafted requests to the vsethost.php script, allowing them to inject and execute arbitrary PHP code.

Recommendations For Mitel Connect ONSITE versions R1711-PREM and earlier, consider disabling access to the vsethost.php page until a patch is available. For Mitel ST 14.2 release GA28 and earlier, restrict access to the conferencing component to minimize the risk of exploitation.