CVE-2023-22854

CVSS 9.1 CRITICALEPSS 0.6%CWE-839

In short

An unauthenticated attacker can download any file from a Mitel MiContact Center Business server by exploiting weak URL parameter validation in the ccmweb component. This exposes sensitive information without requiring login credentials.

Technical detail

The ccmweb component in Mitel MiContact Center Business 9.2.2.0–9.4.1.0 fails to properly validate URL parameters, allowing unauthenticated arbitrary file download (CWE-839). The attack requires no authentication and succeeds against default or exposed installations, resulting in unauthorized access to sensitive data stored on the server.

Summary generated and translated by AI from the official description.

The ccmweb component of Mitel MiContact Center Business server 9.2.2.0 through 9.4.1.0 could allow an unauthenticated attacker to download arbitrary files, due to insufficient restriction of URL parameters. A successful exploit could allow access to sensitive information.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.mitel.com/support/security-advisories https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-23-0001