CVE-2022-41223
Code Injection — is CVE-2022-41223real, exploitable, or a false positive? Here's the community ground truth.
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
The Director database component of MiVoice Connect through 19.3 (22.22.6100.0) could allow an authenticated attacker to conduct a code-injection attack via crafted data due to insufficient restrictions on the database data type.
References
Published
Embed this verdict
[](https://www.truepositive.app/cve/CVE-2022-41223)<a href="https://www.truepositive.app/cve/CVE-2022-41223"><img src="https://www.truepositive.app/cve/CVE-2022-41223/badge.svg" alt="TruePositive verdict for CVE-2022-41223"></a>Live badge — updates automatically as the community verdict changes.
Community ground truth
Community verdict
3 verdictsIncludes TruePositive's curated baseline from public sources — community verdicts accrue on top.
Pick your verdict — we'll save it right after a quick sign-in.
Practitioners rate this higher than its CVSS — treat with extra caution.
Field notes & remediation
Verdicts are the quick signal — notes are the evidence and fixes behind them.
- 0
Mitel MiVoice Connect Code Injection Vulnerability — The Director component in Mitel MiVoice Connect allows an authenticated attacker with internal network access to execute code within the context of the application. Listed in the CISA KEV catalog (added 2023-02-21) — confirmed exploited in the wild, not theoretical. It is linked to known ransomware campaigns. FIRST EPSS puts the chance of exploitation in the next 30 days at ~11%. Treat it as real and prioritize remediation over triage.
- 0
Required action for Mitel MiVoice Connect: Apply updates per vendor instructions. CISA set a federal remediation due date of 2023-03-14. After patching, verify the vulnerable path is no longer reachable before closing the finding.
Related CVEs
Same weakness — CWE-94 · Code Injection.
- CVE-2017-9841CVSS 9.8KEVEPSS 100%
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
- CVE-2015-1635CVSS 9.8KEVEPSS 100%
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."
- CVE-2022-22954CVSS 9.8KEVEPSS 100%
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.
- CVE-2012-0158CVSS 8.8KEVEPSS 100%
The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers "system state" corruption, as exploited in the wild in April 2012, aka "MSCOMCTL.OCX RCE Vulnerability."
- CVE-2021-22204CVSS 6.8KEVEPSS 100%
Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image
- CVE-2022-22963CVSS 9.8KEVEPSS 100%
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.