Vulnerable instances of the Mitel MiCollab enterprise communication and collaboration platform could have their files compromised through a new proof-of-concept exploit chaining the patched critical authentication bypass issue, tracked as CVE-2024-41713, with a yet-to-be-addressed post-authentication arbitrary file read bug, The Hacker News reports.
Intrusions leveraging CVE-2024-41713, which stems from insufficient input validation in MiCollab's NuPoint Unified Messaging component, could facilitate not only unauthenticated provisioning data access but also unauthenticated admin task execution, according to an analysis from watchTowr Labs, which discovered the flaw after replicating an earlier NPM vulnerability, tracked as CVE-2024-35286. Such findings were noted by watchTowr Labs researcher Sonny Macdonald to be illuminating. "[I]t has acted as a real-world example that full access to the source code is not always needed – even when diving into vulnerability research to reproduce a known weakness in a COTS solution. Depending on the depth of the CVE description, some good Internet search skills can be the basis for a successful hunt for vulnerabilities," Macdonald said.
