Vulnerability CVE-2018-5782


Published: 2018-03-14

Description:
A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to inject PHP code using specially crafted requests to the vsethost.php page. Successful exploit could allow an attacker to execute arbitrary PHP code within the context of the application.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
ShoreTel / Mitel Connect ONSITE ST14.2 Remote Code Execution
twosevenzero
17.01.2019

Type:

CWE-94

(Improper Control of Generation of Code ('Code Injection'))

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Mitel -> Connect onsite 
Mitel -> St14.2 

 References:
https://github.com/twosevenzero/shoretel-mitel-rce
https://www.exploit-db.com/exploits/46174/
https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-18-0004

Copyright 2024, cxsecurity.com

 

Back to Top