Lucene search
+L

12 matches found

CVE
CVE
added 2023/03/30 12:0 a.m.345 views

CVE-2023-29059

CVE-2023-29059 is a supply-chain compromise affecting the 3CX DesktopApp (Windows Electron: 18.12.407/18.12.416; macOS Electron: 18.11.1213/18.12.402/18.12.407/18.12.416). The initial installer drops legitimate 3CX components, then loads a malicious ffmpeg.dll that loads d3dcompiler_47.dll, which...

7.8CVSS7.7AI score0.04373EPSS
In wild
CVE
CVE
added 2023/05/02 12:0 a.m.214 views

CVE-2022-48483

3CX on Windows is vulnerable to a directory-traversal on /Electron/download in versions before 18 Hotfix 1 (18.0.3.461), allowing unauthenticated remote reading of %WINDIR%\system32. Root cause: an incomplete fix for CVE-2022-28005. Impact is read access; no exploit details provided. Remediation:...

7.5CVSS8.7AI score0.01667EPSS
Web
CVE
CVE
added 2023/05/02 12:0 a.m.211 views

CVE-2022-48482

CVE-2022-48482 affects 3CX Phone System on Windows prior to 18 Update 2 Security Hotfix 18.0.2.315. The issue is a directory traversal vulnerability in the /Electron/download interface that allows unauthenticated remote readers to access files (including credentials, backups, call recordings, and...

7.5CVSS8.6AI score0.01822EPSS
CVE
CVE
added 2022/05/06 12:0 a.m.128 views

CVE-2022-28005

CVE-2022-28005 affects the 3CX Phone System Management Console prior to version 18 Update 3 FINAL on Windows. It allows an unauthenticated attacker to traverse the server via /Electron/download with backslash-using path components, leading to cleartext credential disclosure; a subsequent authenti...

9.8CVSS8.2AI score0.0613EPSS
In wild
CVE
CVE
added 2019/08/11 11:3 p.m.119 views

CVE-2019-14935

3CX Phone 15 (Windows) is affected by insecure permissions in the installation directory "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp": Full Control for Everyone, enabling privilege escalation via a StartUp link. Root cause is improper directory permissions granting high access. Multiple sources ...

7.8CVSS7.8AI score0.00369EPSS
CVE
CVE
added 2022/03/28 1:14 a.m.112 views

CVE-2021-45491

CVE-2021-45491 affects 3CX System up to 2022-03-17, where passwords are stored in cleartext in the database and are exportable via the management interface. The vulnerability stems from storing credentials in an unencrypted form, enabling potential disclosure of user passwords. The public documen...

6.5CVSS6.4AI score0.00786EPSS
CVE
CVE
added 2022/03/28 1:10 a.m.85 views

CVE-2021-45490

The CVE-2021-45490 entry concerns 3CX client software (Windows, iOS, Android) through 2022-03-17 where TLS/SSL certificate validation is not performed. The NVD entry documents this as a vulnerability in the clients’ TLS handling, with CVSS v3.1 base score 9.1 (network attack, no privileges, high ...

9.1CVSS8.9AI score0.0107EPSS
CVE
CVE
added 2024/05/03 1:56 a.m.85 views

CVE-2023-27362

CVE-2023-27362 (3CX) involves a vulnerability in 3CX where the OpenSSL configuration file is loaded from an unsecured location, enabling a local attacker who can run low-privilege code to escalate to SYSTEM and execute arbitrary code. The flaw is tied to the product’s OpenSSL configuration handli...

7.8CVSS7.1AI score0.00333EPSS
CVE
CVE
added 2017/10/18 6:0 p.m.82 views

CVE-2017-15359

CVE-2017-15359 affects 3CX Phone System 15.5.3554.1, where the Management Console (typically listening on port 5001) is vulnerable to directory traversal via /api/RecordingList/DownloadRecord?file= and /api/SupportInfo?file=, requiring authentication to exploit. The vulnerability enables an attac...

6.5CVSS6.2AI score0.06168EPSS
Web
CVE
CVE
added 2023/12/25 12:0 a.m.68 views

CVE-2023-49954

The CVE-2023-49954 issue affects the CRM Integration in 3CX, allowing SQL Injection via a first name, search string, or email address. Affected products/versions are 3CX prior to 18.0.9.23 and 3CX 20 prior to 20.0.0.1494. Root cause: improper handling of SQL queries in the CRM Integration, enabli...

9.8CVSS9.7AI score0.02239EPSS
CVE
CVE
added 2019/08/08 1:26 p.m.59 views

CVE-2019-13176

The CVE-2019-13176 issue affects the 3CX Phone System web management console (versions 12.5.44178.1002 through 12.5 SP2). The vulnerable component is Content.MainForm.wgx, which is susceptible to XML External Entity (XXE) processing when a crafted XML document is placed in POST data. This may ena...

7.5CVSS7.3AI score0.02461EPSS
CVE
CVE
added 2018/03/04 1:0 a.m.53 views

CVE-2018-7654

CVE-2018-7654 affects 3CX devices (reported for version 15.5.6354.2). A path traversal flaw in the file parameter of the request /api/RecordingList/download?file= enables full access to server files. Root cause is a path traversal vulnerability in the download endpoint; detailed exploit status is...

6.5CVSS6.4AI score0.02423EPSS
Web