CVE-2022-41223 - OpenCVE

The Director database component of MiVoice Connect through 19.3 (22.22.6100.0) could allow an authenticated attacker to conduct a code-injection attack via crafted data due to insufficient restrictions on the database data type.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Mitel	Mivoice Connect

Configuration 1 [-]

OR	cpe:2.3:a:mitel:mivoice_connect::::::::
	cpe:2.3:a:mitel:mivoice_connect:19.3:-::::::

References

Link	Resource
https://www.mitel.com/support/security-advisories	Vendor Advisory
https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0008	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2022-11-22T00:00:00

Updated: 2022-11-22T00:00:00

Reserved: 2022-09-21T00:00:00

Link: CVE-2022-41223

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-11-22T01:15:32.897

Modified: 2022-11-26T03:25:42.150

Link: CVE-2022-41223

JSON object: View

Redhat Information

No data.

CWE

CWE-94

{"cisaActionDue": "2023-03-14", "cisaExploitAdd": "2023-02-21", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Mitel MiVoice Connect Code Injection Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mitel:mivoice_connect:*:*:*:*:*:*:*:*", "matchCriteriaId": "D793461C-AAEE-464A-970A-1CCCA53BD240", "versionEndExcluding": "19.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:mitel:mivoice_connect:19.3:-:*:*:*:*:*:*", "matchCriteriaId": "FAF7BBF2-8DEE-42FF-B9DE-35C0CE8676F0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Director database component of MiVoice Connect through 19.3 (22.22.6100.0) could allow an authenticated attacker to conduct a code-injection attack via crafted data due to insufficient restrictions on the database data type."}, {"lang": "es", "value": "El componente de base de datos Director de MiVoice Connect hasta la versi\u00f3n 19.3 (22.22.6100.0) podr\u00eda permitir a un atacante autenticado realizar un ataque de inyecci\u00f3n de c\u00f3digo a trav\u00e9s de datos manipulados debido a restricciones insuficientes en el tipo de datos de la base de datos."}], "id": "CVE-2022-41223", "lastModified": "2022-11-26T03:25:42.150", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-22T01:15:32.897", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.mitel.com/support/security-advisories"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0008"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}