RSS   Vulnerabilities for '3CX'   RSS

2022-03-28
 
CVE-2021-45490

CWE-295
 

 
The client applications in 3CX on Windows, the 3CX app for iOS, and the 3CX application for Android through 2022-03-17 lack SSL certificate validation.

 
 
CVE-2021-45491

CWE-312
 

 
3CX System through 2022-03-17 stores cleartext passwords in a database.

 
2019-08-11
 
CVE-2019-14935

CWE-275
 

 
3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link.

 
2019-08-08
 
CVE-2019-13176

CWE-611
 

 
An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTTP, and outbound DNS).

 
2018-03-03
 
CVE-2018-7654

CWE-22
 

 
On 3CX 15.5.6354.2 devices, the parameter "file" in the request "/api/RecordingList/download?file=" allows full access to files on the server via path traversal.

 
2017-10-18
 
CVE-2017-15359

CWE-22
 

 
In the 3CX Phone System 15.5.3554.1, the Management Console typically listens to port 5001 and is prone to a directory traversal attack: "/api/RecordingList/DownloadRecord?file=" and "/api/SupportInfo?file=" are the vulnerable parameters. An attacker must be authenticated to exploit this issue to access sensitive information to aid in subsequent attacks.

 

 >>> Vendor: 3CX 4 Products
Phone system
3CX
3cx web server
Wp-live chat


Copyright 2024, cxsecurity.com

 

Back to Top