CVE-2024-47223: 
Mitel MiCollab vulnerability analysis and mitigation

A critical SQL injection vulnerability (CVE-2024-47223) was discovered in the Audio, Web and Video Conferencing (AWV) component of Mitel MiCollab through version 9.8 SP1 FP2 (9.8.1.201). The vulnerability, which was disclosed on October 21, 2024, allows an unauthenticated attacker to conduct SQL injection attacks due to insufficient sanitization of user input. The flaw received a CVSS score of 9.4, indicating critical severity (Mitel Advisory, Security Online).

The vulnerability stems from insufficient sanitization of user input in the AWV component, allowing an unauthenticated attacker to conduct SQL injection attacks via specially crafted URLs. The flaw has been assigned a CVSS v3.1 base score of 9.4 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (Security Online).

A successful exploitation of this vulnerability could allow attackers to access non-sensitive user provisioning information, such as usernames and email addresses. Additionally, attackers could execute arbitrary SQL database commands, potentially corrupting or removing database tables, which could render the MiCollab system inoperable (Mitel Advisory, Security Online).

Mitel has released a fix in MiCollab version 9.8 SP2 (9.8.2.12) and strongly recommends customers to upgrade to this or subsequent releases. For customers unable to upgrade immediately, Mitel has provided a temporary patch for versions 9.8, 9.8 SP1, and 9.8SP1FP1. Detailed instructions for applying the patch can be found in Mitel's Knowledge Management System (Mitel Advisory).

Credit for identifying and reporting this vulnerability has been attributed to Patrick Webster of OSI Security (Mitel Advisory).