CVE-2018-5781

Name of the Vulnerable Software and Affected Versions Mitel Connect ONSITE versions R1711-PREM and earlier Mitel ST 14.2 release GA28 and earlier

Description A vulnerability in the conferencing component could allow an unauthenticated attacker to inject PHP code using specially crafted requests to the "vendrecording.php" page. Successful exploit could allow an attacker to execute arbitrary PHP code within the context of the application. The issue is related to incorrect code generation management, which may enable a remote attacker to inject and execute arbitrary code in the generated PHP file using specially crafted requests to the "vendrecording.php" script.

Recommendations For Mitel Connect ONSITE versions R1711-PREM and earlier, consider disabling access to the "vendrecording.php" page until a patch is available. For Mitel ST 14.2 release GA28 and earlier, restrict access to the vulnerable conferencing component to minimize the risk of exploitation.