Mitel CCMWeb Unauthenticated Local File Inclusion

Advisory Information

Title: Mitel CCMWeb Unauthenticated Local File Inclusion

Date Published: 

Advisory Summary

A lack of input validation allows an attacker to download arbitrary files from the server.



Affected Software

Product Version
MiCC (CcmWeb 7.x and earlier

Description of Issue

A local file inclusion vulnerability was discovered in the MiContact Center version 7.1. This vulnerability was found in the flexreport component of CCMWeb and could be exploited by an unauthenticated user to reveal arbitrary files by utilising directory traversal sequences to download files.


The following proof of concept downloads the Windows host file.\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\system32\drivers\etc\hosts


Reported – 26th January 2015

Accepted – 31st March 2015

Advisory Published – 4th October 2015