CVE-2022-41223 : The Director database component of MiVoice Connect through 19.3 (22.22.6100.0) c

The Director database component of MiVoice Connect through 19.3 (22.22.6100.0) could allow an authenticated attacker to conduct a code-injection attack via crafted data due to insufficient restrictions on the database data type.

Published 2022-11-22 01:15:33

Updated 2025-02-07 14:53:04

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2022-41223

Mitel » Mivoice Connect
Versions before (<) 19.3
cpe:2.3:a:mitel:mivoice_connect:*:*:*:*:*:*:*:*
Matching versions
Mitel » Mivoice Connect » Version: 19.3
cpe:2.3:a:mitel:mivoice_connect:19.3:-:*:*:*:*:*:*
Matching versions

CVE-2022-41223 is in the CISA Known Exploited Vulnerabilities Catalog

This issue is known to have been leveraged as part of a ransomware campaign.

CISA vulnerability name:

Mitel MiVoice Connect Code Injection Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

The Director component in Mitel MiVoice Connect allows an authenticated attacker with internal network access to execute code within the context of the application.

Notes:

https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0008; https://nvd.nist.gov/vuln/detail/CVE-2022-41223

Added on 2023-02-21 Action due date 2023-03-14

Exploit prediction scoring system (EPSS) score for CVE-2022-41223

EPSS FAQ

3.81%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 88 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-41223

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.8	MEDIUM	CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	0.9	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-01-28
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
6.8	MEDIUM	CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	0.9	5.9	NIST
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-41223

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2022-41223

https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0008

Mitel Product Security Advisory 22 0008
Vendor Advisory
https://www.mitel.com/support/security-advisories

Security Advisories
Vendor Advisory

CVEs referencing this url