CVE-2023-39285

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Edge Gateway component of Mitel MiVoice Connect. The issue stems from insufficient request validation, allowing an attacker to craft a malicious URL that, when visited by an authenticated user, can perform unauthorized actions. Affected versions include MiVoice Connect 19.3 SP3 HF1 (22.24.6900.0) and earlier [1].

Exploitation

An unauthenticated attacker with network access can exploit this vulnerability by tricking an authenticated user into clicking a specially crafted link. The attacker does not need any prior authentication or privileges. The crafted URL, when processed by the victim's browser, sends a request to the Edge Gateway that appears legitimate, thereby executing actions with the victim's session credentials [1].

Impact

Successful exploitation allows the attacker to modify system configuration settings within the MiVoice Connect environment. This could lead to unauthorized changes in network settings, user permissions, or other critical parameters, potentially compromising the integrity and availability of the communication system [1].

Mitigation

Mitel has released software updates to address this vulnerability. Customers are advised to upgrade to the latest version of MiVoice Connect. No workaround is currently available. For specific version information, contact Mitel Product Support [1].