CVE-2023-25599

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the conferencing component of Mitel MiVoice Connect through version 19.3 SP2 (22.24.1500.0) and earlier [2]. The flaw resides in the test_presenter.php page, which fails to properly validate user-supplied input, allowing an attacker to inject arbitrary scripts [2].

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a malicious link that includes a script payload and enticing a victim to click it [2]. No authentication or special network position is required beyond the victim accessing the vulnerable page [1]. The attacker does not need prior access to the system.

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of the victim's browser session [1][2]. This can lead to information disclosure, session hijacking, or other actions within the affected application's security context. The impact is limited to the victim's browser interaction with the MiVoice Connect interface.

Mitigation

Mitel has released software updates to address this vulnerability; customers are advised to update their installations to the latest version [2]. No workarounds are detailed in the available references [1][2].