Unauthenticated SQL Injection Vulnerability in Mitel MiCollab NPM could Lead to Sensitive Information Exposure
CVE-2024-35286
Key Information:
- Vendor
- Mitel
- Vendor
- CVE Published:
- 21 October 2024
Badges
What is CVE-2024-35286?
CVE-2024-35286 is a severe vulnerability found in the NuPoint Messenger (NPM) component of Mitel MiCollab versions up to 9.8.0.33. This vulnerability primarily stems from inadequate input sanitization, allowing unauthenticated attackers to perform SQL injection attacks. If successfully exploited, this can lead to unauthorized access to sensitive organizational data, potentially compromising the integrity and confidentiality of critical information.
Technical Details
The vulnerability relates to how the NuPoint Messenger processes user inputs. Attackers can inject malicious SQL code through input fields that do not properly sanitize user data, leading to the execution of arbitrary SQL commands. This can allow an attacker to manipulate database queries, gain unauthorized access to sensitive data, or even take control of management operations within the application. The specific lack of authentication in this context heightens the risk, as it requires no credentials for an attack to take place.
Potential impact of CVE-2024-35286
-
Sensitive Information Exposure: An attacker can exploit this vulnerability to access confidential data, including user information and internal communications, leading to substantial privacy breaches.
-
Database Compromise: The ability to execute arbitrary database commands may allow attackers to alter, delete, or exfiltrate critical data, disrupting business operations and degrading data integrity.
-
Operational Disruption: Successful exploitation could enable attackers to manipulate management operations within Mitel MiCollab, leading to downtime or service unavailability, which can affect communication and collaboration capabilities within an organization.
Get notified when SecurityVulnerability.io launches alerting ๐
Well keep you posted ๐ง
News Articles
The RegisterPoC exploit chains Mitel MiCollab 0-day, auth-bypass bug
A zero-day arbitrary file read vulnerability in Mitel MiCollab can be chained with a now-patched critical bug in the same platform to give attackers access to sensitive files on vulnerable instances.ย A...
2 months ago
PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files
A zero-day arbitrary file read vulnerability in Mitel MiCollab can be chained with a now-patched critical bug in the same platform to give attackers access to sensitive files on vulnerable instances.ย A...
2 months ago
Bypass Bug Revives Critical N-Day in Mitel MiCollab
A single barrier prevented attackers from exploiting a critical vulnerability in an enterprise collaboration platform. Now there's a workaround.
2 months ago