CVE-2024-35286

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-35286
A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input. A successful exploit could allow an attacker to access sensitive information and execute arbitrary database and management operations.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0014 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:mitel:micollab:*:*:*:*:*:*:*:*
History

07 Jul 2025, 17:55

Type Values Removed Values Added
CPE cpe:2.3:a:mitel:micollab:*:*:*:*:*:*:*:*
References () https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0014 - () https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0014 - Vendor Advisory
First Time Mitel
Mitel micollab

23 Oct 2024, 15:12

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad en NuPoint Messenger (NPM) de Mitel MiCollab hasta la versión 9.8.0.33 permite a un atacante no autenticado realizar un ataque de inyección SQL debido a una desinfección insuficiente de la entrada del usuario. Una explotación exitosa podría permitir a un atacante acceder a información confidencial y ejecutar operaciones arbitrarias de administración y bases de datos.

22 Oct 2024, 14:35

Type Values Removed Values Added
CWE CWE-89
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8

21 Oct 2024, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-10-21 21:15

Updated : 2025-07-07 17:55

NVD link : CVE-2024-35286

Mitre link : CVE-2024-35286

CVE.ORG link : CVE-2024-35286

JSON object : View

Products Affected

mitel

  • micollab
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')