CVE-2023-25598

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the home.php page of the conferencing component in Mitel MiVoice Connect versions 19.3 SP2 (22.24.1500.0) and earlier, as well as 20.x, 21.x, and 22.x through 22.24.1500.0 [1], [2]. The vulnerability is due to insufficient validation of user-supplied input, enabling an attacker to inject arbitrary script code into the page response.

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL containing the XSS payload in a parameter that is reflected by home.php. The attacker must then convince a victim to click on the crafted link (e.g., via phishing or social engineering) [2]. No authentication or prior access is required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the affected application and the victim’s browser. Depending on the session context, this can lead to information disclosure, session hijacking, or other client-side attacks [1], [2]. The scope of compromise is limited to the user's browser session within the MiVoice Connect application.

Mitigation

Mitel has released updated software versions that address this vulnerability. Customers should upgrade to the latest release of MiVoice Connect as recommended in the advisory [2]. For versions known to be EOL or unsupported, upgrading to a supported version is advised. No workarounds are documented in the available references.