CVE-2025-27828

| EUVD-2025-19033 HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-06-24 [email protected]
XSS
7.1
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 15, 2026 - 22:36 euvd
EUVD-2025-19033
Analysis Generated
Mar 15, 2026 - 22:36 vuln.today
CVE Published
Jun 24, 2025 - 14:15 nvd
HIGH 7.1

DescriptionNVD

A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4, 10.1.0.0 through 10.1.0.5, and 10.2.0.0 through 10.2.0.4 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient input validation. A successful exploit requires user interaction and could allow an attacker to execute arbitrary scripts with a limited impact on the confidentiality and the integrity.

AnalysisAI

CVE-2025-27828 is a reflected cross-site scripting (XSS) vulnerability in the legacy chat component of Mitel MiContact Center Business that allows unauthenticated attackers to execute arbitrary scripts in victim browsers through maliciously crafted URLs. The vulnerability affects multiple versions (10.0.0.4 and earlier, 10.1.0.0-10.1.0.5, and 10.2.0.0-10.2.0.4) and requires user interaction to exploit. While the CVSS score of 7.1 is moderate-to-high, the impact is limited to confidentiality and integrity with no availability impact, and exploitation requires social engineering to trick users into clicking malicious links.

Technical ContextAI

This vulnerability stems from insufficient input validation in the legacy chat component (CWE-79: Improper Neutralization of Input During Web Page Generation), a classic reflected XSS flaw where user-supplied input is reflected back in HTTP responses without proper encoding or sanitization. The affected product is Mitel MiContact Center Business (CPE context suggests enterprise communications software), where the chat feature fails to validate or encode user-controlled parameters before rendering them in HTML context. The legacy nature of the component indicates this may be older code with outdated security practices, potentially using unsafe string concatenation or DOM manipulation instead of secure templating frameworks.

RemediationAI

Patching: Upgrade MiContact Center Business to patched versions (exact patched versions not provided in input data; contact Mitel support or check Mitel security advisories for 10.0.0.5+, 10.1.0.6+, or 10.2.0.5+); priority: High Immediate Mitigation: If patching is delayed, disable or restrict access to the legacy chat component to authenticated users only; implement network-level restrictions (WAF rules) to filter reflected XSS payloads in chat parameters (e.g., filter script tags, event handlers, javascript: URIs); priority: High Detection: Monitor HTTP logs for suspicious chat component URLs containing script tags, HTML entities, or encoded payloads; alert on requests with high entropy in chat parameters; priority: Medium User Education: Train users not to click external links to MiContact Center chat interfaces; verify chat URLs come from trusted internal sources before clicking; priority: Medium Code Remediation (Vendor/Development): Implement proper input validation and output encoding: use parameterized/context-aware templating engines, encode all user input with HTML entity encoding, implement Content Security Policy (CSP) headers to restrict script execution; priority: High

Share

CVE-2025-27828 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy