CVE-2018-5779

Name of the Vulnerable Software and Affected Versions Mitel Connect ONSITE versions R1711-PREM and earlier Mitel ST 14.2 release GA28 and earlier

Description A vulnerability in the conferencing component could allow an unauthenticated attacker to copy a malicious script into a newly generated PHP file and then execute the generated file using specially crafted requests. Successful exploit could allow an attacker to execute arbitrary code within the context of the application. The issue is related to incorrect code generation management, which may enable a remote attacker to inject and execute arbitrary code in the generated PHP file using specially crafted requests.

Recommendations For Mitel Connect ONSITE versions R1711-PREM and earlier, update to a version later than R1711-PREM to resolve the issue. For Mitel ST 14.2 release GA28 and earlier, update to a release later than GA28 to resolve the issue. As a temporary workaround, consider restricting access to the conferencing component to minimize the risk of exploitation.