CVE-2025-27828

A reflected cross-site scripting (XSS) vulnerability has been identified in the Legacy Chat component of Mitel MiContact Center Business, due to insufficient input validation [2]. This vulnerability affects versions 10.0.0.0 through 10.0.0.4, 10.1.0.0 through 10.1.0.5, 10.2.0.0 through 10.2.0.4, and 9.5.0.3 and earlier [2].

Exploitation of this vulnerability does not require authentication, but does require user interaction, such as clicking a specially crafted link [2]. An unauthenticated attacker can inject arbitrary scripts into the chat component, which will be reflected back to the victim's browser.

Successful exploitation could allow an attacker to execute arbitrary scripts with limited impact on confidentiality and integrity, potentially enabling the attacker to obtain sensitive information or modify the current chat session [2]. The CVSS v3.1 base score is 7.1, rated as high severity [2].

Mitel has released upgrades and hotfixes to address this issue. Customers should upgrade to MiContact Center Business version 10.2.0.5 or later, or apply hotfixes KB571322, KB571372, or KB571320 for specific releases [2].