Details of VAR-201804-1295

ID

VAR-201804-1295

CVE

CVE-2018-9102

TITLE

Mitel MiVoice Connect and ST 14.2 In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-004467

DESCRIPTION

A vulnerability in the conferencing component of Mitel MiVoice Connect, versions R1707-PREM SP1 (21.84.5535.0) and earlier, and Mitel ST 14.2, versions GA27 (19.49.5200.0) and earlier, could allow an unauthenticated attacker to conduct an SQL injection attack due to insufficient input validation for the signin interface. A successful exploit could allow an attacker to extract sensitive information from the database. Mitel MiVoice Connect and ST 14.2 Is SQL An injection vulnerability exists.Information may be obtained. MitelMiVoiceConnectR1707-PREM and MitelST are products of Mitel, Canada. MitelMiVoiceConnectR1707-PREM is a unified communications management device. ST is a video conferencing product. Conferencing is one of the meeting notification components. The vulnerability stems from the program failing to perform sufficient input validation on the login interface

Trust: 2.16

sources: NVD: CVE-2018-9102 // JVNDB: JVNDB-2018-004467 // CNVD: CNVD-2018-08582

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2018-08582

AFFECTED PRODUCTS

vendor:	mitel	model:	st 14.2	scope:	lte	version:	19.49.5200.0	Trust: 1.0
vendor:	mitel	model:	mivoice connect	scope:	lte	version:	21.84.5535.0	Trust: 1.0
vendor:	mitel	model:	mivoice connect	scope:	lte	version:	r1707-prem sp1 (21.84.5535.0)	Trust: 0.8
vendor:	mitel	model:	st 14.2	scope:	lte	version:	ga27 (19.49.5200.0)	Trust: 0.8
vendor:	mitel	model:	mivoice connect	scope:	lte	version:	<=21.84.5535.0	Trust: 0.6
vendor:	mitel	model:	st ga27	scope:	lte	version:	<=14.2	Trust: 0.6
vendor:	mitel	model:	st 14.2	scope:	eq	version:	19.49.5200.0	Trust: 0.6
vendor:	mitel	model:	mivoice connect	scope:	eq	version:	21.84.5535.0	Trust: 0.6

sources: CNVD: CNVD-2018-08582 // JVNDB: JVNDB-2018-004467 // CNNVD: CNNVD-201804-1431 // NVD: CVE-2018-9102

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-9102
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-9102
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2018-08582
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201804-1431
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2018-9102
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2018-08582
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2018-9102
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: CNVD: CNVD-2018-08582 // JVNDB: JVNDB-2018-004467 // CNNVD: CNNVD-201804-1431 // NVD: CVE-2018-9102

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2018-004467 // NVD: CVE-2018-9102

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201804-1431

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201804-1431

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-004467

PATCH

title:	18-0003	url:	https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-18-0003	Trust: 0.8
title:	MitelMiVoiceConnectSQL injection vulnerability patch	url:	https://www.cnvd.org.cn/patchInfo/show/127609	Trust: 0.6
title:	Mitel MiVoice Connect R1707-PREM SP1 and Mitel ST conferencing Component SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=79700	Trust: 0.6

sources: CNVD: CNVD-2018-08582 // JVNDB: JVNDB-2018-004467 // CNNVD: CNNVD-201804-1431

EXTERNAL IDS

db:	NVD	id:	CVE-2018-9102	Trust: 3.0
db:	JVNDB	id:	JVNDB-2018-004467	Trust: 0.8
db:	CNVD	id:	CNVD-2018-08582	Trust: 0.6
db:	CNNVD	id:	CNNVD-201804-1431	Trust: 0.6

sources: CNVD: CNVD-2018-08582 // JVNDB: JVNDB-2018-004467 // CNNVD: CNNVD-201804-1431 // NVD: CVE-2018-9102

REFERENCES

url:	https://www.mitel.com/mitel-product-security-advisory-18-0003	Trust: 1.6
url:	https://www.mitel.com/sites/default/files/2018-security-bulletin-18-0003-001.pdf	Trust: 1.6
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-9102	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-9102	Trust: 0.8
url:	http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-9102	Trust: 0.6

sources: CNVD: CNVD-2018-08582 // JVNDB: JVNDB-2018-004467 // CNNVD: CNNVD-201804-1431 // NVD: CVE-2018-9102

SOURCES

db:	CNVD	id:	CNVD-2018-08582
db:	JVNDB	id:	JVNDB-2018-004467
db:	CNNVD	id:	CNNVD-201804-1431
db:	NVD	id:	CVE-2018-9102

LAST UPDATE DATE

2024-11-23T21:39:00.465000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2018-08582	date:	2018-04-27T00:00:00
db:	JVNDB	id:	JVNDB-2018-004467	date:	2018-06-20T00:00:00
db:	CNNVD	id:	CNNVD-201804-1431	date:	2018-04-26T00:00:00
db:	NVD	id:	CVE-2018-9102	date:	2024-11-21T04:14:57.740

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2018-08582	date:	2018-04-27T00:00:00
db:	JVNDB	id:	JVNDB-2018-004467	date:	2018-06-20T00:00:00
db:	CNNVD	id:	CNNVD-201804-1431	date:	2018-04-26T00:00:00
db:	NVD	id:	CVE-2018-9102	date:	2018-04-25T20:29:00.633