CVE-2017-16251

Name of the Vulnerable Software and Affected Versions: Mitel ST 14.2, release GA28 and earlier

Description: A vulnerability in the conferencing component could allow an authenticated user to upload a malicious script to the Personal Library by a crafted POST request to an unspecified API endpoint. Successful exploitation could allow an attacker to execute arbitrary code within the context of the application.

Recommendations: For Mitel ST 14.2, release GA28 and earlier, consider restricting access to the Personal Library and limiting the ability to upload scripts until a fix is available. As a temporary workaround, consider disabling the script upload functionality to minimize the risk of exploitation.