Title: Mitel CCMWeb Unauthenticated Local File Inclusion
A lack of input validation allows an attacker to download arbitrary files from the server.
|MiCC (CcmWeb||7.x and earlier|
Description of Issue
A local file inclusion vulnerability was discovered in the MiContact Center version 7.1. This vulnerability was found in the flexreport component of CCMWeb and could be exploited by an unauthenticated user to reveal arbitrary files by utilising directory traversal sequences to download files.
The following proof of concept downloads the Windows host file.
Reported – 26th January 2015
Accepted – 31st March 2015
Advisory Published – 4th October 2015