3cx

3cx

12 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.8

CVE-2023-27362

  • EPSS 0.2%
  • Published 03.05.2024 02:15:14
  • Last modified 13.08.2025 00:00:55

3CX Uncontrolled Search Path Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of 3CX. An attacker must first obtain the ability to execute low-privileged code on the ...

9.8

CVE-2023-49954

  • EPSS 0.68%
  • Published 25.12.2023 08:15:07
  • Last modified 23.04.2025 17:16:40

The CRM Integration in 3CX before 18.0.9.23 and 20 before 20.0.0.1494 allows SQL Injection via a first name, search string, or email address.

7.5

CVE-2022-48483

  • EPSS 0.32%
  • Published 02.05.2023 05:15:28
  • Last modified 30.01.2025 17:15:12

3CX before 18 Hotfix 1 build 18.0.3.461 on Windows allows unauthenticated remote attackers to read %WINDIR%\system32 files via /Electron/download directory traversal in conjunction with a path component that has a drive letter and uses backslash char...

7.5

CVE-2022-48482

  • EPSS 0.58%
  • Published 02.05.2023 05:15:27
  • Last modified 30.01.2025 16:15:28

3CX before 18 Update 2 Security Hotfix build 18.0.2.315 on Windows allows unauthenticated remote attackers to read certain files via /Electron/download directory traversal. Files may have credentials, full backups, call recordings, and chat logs.

7.8

CVE-2023-29059

Exploit
  • EPSS 0.23%
  • Published 30.03.2023 17:15:06
  • Last modified 05.05.2025 16:15:34

3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the 3CX DesktopApp Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12...

9.8

CVE-2022-28005

  • EPSS 5.57%
  • Published 06.05.2022 15:15:08
  • Last modified 21.11.2024 06:56:35

An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. An unauthenticated attacker could abuse improperly secured access to arbitrary files on the server (via /Electron/download directory traversal in c...

9.1

CVE-2021-45490

  • EPSS 0.13%
  • Published 28.03.2022 02:15:06
  • Last modified 21.11.2024 06:32:19

The client applications in 3CX on Windows, the 3CX app for iOS, and the 3CX application for Android through 2022-03-17 lack SSL certificate validation.

6.5

CVE-2021-45491

  • EPSS 0.15%
  • Published 28.03.2022 02:15:06
  • Last modified 21.11.2024 06:32:19

3CX System through 2022-03-17 stores cleartext passwords in a database.

7.8

CVE-2019-14935

Exploit
  • EPSS 0.04%
  • Published 12.08.2019 00:15:10
  • Last modified 21.11.2024 04:27:43

3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link.

7.5

CVE-2019-13176

Exploit
  • EPSS 0.37%
  • Published 08.08.2019 14:15:11
  • Last modified 21.11.2024 04:24:21

An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading...