CVE-2022-40765

Warning

EPSS 2.95%
Published 22.11.2022 01:15:31
Last modified 04.02.2025 14:52:50
Source cve@mitre.org
Teams watchlist Login
Open Login

A vulnerability in the Edge Gateway component of Mitel MiVoice Connect through 19.3 (22.22.6100.0) could allow an authenticated attacker with internal network access to conduct a command-injection attack, due to insufficient restriction of URL parameters.

Affected products Warnungen 1 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Mitel ≫ Mivoice Connect Version < 19.3

Mitel ≫ Mivoice Connect Version19.3 Update-

21.02.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Mitel MiVoice Connect Command Injection Vulnerability

Vulnerability

The Mitel Edge Gateway component of MiVoice Connect allows an authenticated attacker with internal network access to execute commands within the context of the system.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.95%	0.86

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.8	0.9	5.9	CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	6.8	0.9	5.9	CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://www.mitel.com/support/security-advisories

Vendor Advisory

https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0007

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2022-40765

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-40765

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-40765

EUVD