CVE-2024-30157 - Vulnerability Details - OpenCVE

A vulnerability in the Suite Applications Services component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a SQL Injection attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary database and management operations.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mitel	Micollab

Configuration 1 [-]

cpe:2.3:a:mitel:micollab:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0004

History

Fri, 25 Oct 2024 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mitel Mitel micollab
Weaknesses		CWE-89
CPEs		cpe:2.3:a:mitel:micollab::::::::
Vendors & Products		Mitel Mitel micollab
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 21 Oct 2024 21:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability in the Suite Applications Services component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a SQL Injection attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary database and management operations.
References		https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0004

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-10-21T00:00:00

Updated: 2024-10-22T13:38:41.476Z

Reserved: 2024-03-24T00:00:00

Link: CVE-2024-30157

Vulnrichment

No data.

NVD

Status : Modified

Published: 2024-10-21T21:15:04.620

Modified: 2024-11-21T09:11:19.547

Link: CVE-2024-30157

Redhat

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-30157", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-22T13:38:41.476Z", "dateReserved": "2024-03-24T00:00:00", "datePublished": "2024-10-21T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-10-21T20:48:21.322917"}, "descriptions": [{"lang": "en", "value": "A vulnerability in the Suite Applications Services component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a SQL Injection attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary database and management operations."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0004"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "affected": [{"vendor": "mitel", "product": "micollab", "cpes": ["cpe:2.3:a:mitel:micollab:-:*:*:*:*:-:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "9.7.1.110", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-22T13:36:41.767573Z", "id": "CVE-2024-30157", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-22T13:38:41.476Z"}}]}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mitel:micollab:*:*:*:*:*:*:*:*", "matchCriteriaId": "00AF6EAC-B97B-468A-AE23-625321787BCA", "versionEndIncluding": "9.7.1.110", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the Suite Applications Services component of Mitel MiCollab through 9.7.1.110 could allow an authenticated attacker with administrative privileges to conduct a SQL Injection attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary database and management operations."}, {"lang": "es", "value": "Una vulnerabilidad en el componente Suite Applications Services de Mitel MiCollab hasta la versi\u00f3n 9.7.1.110 podr\u00eda permitir que un atacante autenticado con privilegios administrativos realice un ataque de inyecci\u00f3n SQL debido a una validaci\u00f3n insuficiente de la entrada del usuario. Una explotaci\u00f3n exitosa podr\u00eda permitir que un atacante ejecute operaciones arbitrarias de administraci\u00f3n y base de datos."}], "id": "CVE-2024-30157", "lastModified": "2024-11-21T09:11:19.547", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-10-21T21:15:04.620", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0004"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}