Remote Code Execution Vulnerability in Mitel MiVoice Connect Client
CVE-2020-12456

8.8HIGH

Key Information:

Vendor: Mitel
Status: Mivoice Connect
Vendor: CVE Published:; 26 August 2020

Summary

The Mitel MiVoice Connect Client prior to version 214.100.1223.0 is susceptible to a remote code execution vulnerability that stems from improper rendering of chat messages in the chat notification window. An attacker exploiting this vulnerability can execute arbitrary code, potentially leading to the theft of session cookies and directory traversal vulnerabilities. This critical flaw poses a significant risk, enabling attackers to run malicious scripts within the context of the Connect client, ultimately compromising user security.

References

https://www.mitel.com/support/security-advisories

x_refsource_MISC

https://www.mitel.com/support/security-advisories/mitel-p...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 26, 2020
Vulnerability Reserved
Apr 29, 2020