Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
3cx 3cx vulnerabilities and exploits
(subscribe to this query)
7.8
CVSSv3
CVE-2023-29059
3CX DesktopApp up to and including 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the 3CX DesktopApp Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, a...
3cx 3cx 18.12.407
3cx 3cx 18.12.416
3cx 3cx 18.12.402
3cx 3cx 18.11.1213
1 Github repository
7.5
CVSSv3
CVE-2019-13176
An issue exists in the 3CX Phone system (web) management console 12.5.44178.1002 up to and including 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTT...
3cx 3cx 12.5
3cx 3cx 12.5.44178.1002
9.8
CVSSv3
CVE-2022-28005
An issue exists in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. An unauthenticated attacker could abuse improperly secured access to arbitrary files on the server (via /Electron/download directory traversal in conjunction with a path component that ...
3cx 3cx
6.5
CVSSv3
CVE-2021-45491
3CX System through 2022-03-17 stores cleartext passwords in a database.
3cx 3cx
1 Article
9.1
CVSSv3
CVE-2021-45490
The client applications in 3CX on Windows, the 3CX app for iOS, and the 3CX application for Android through 2022-03-17 lack SSL certificate validation.
3cx 3cx
7.5
CVSSv3
CVE-2022-48482
3CX prior to 18 Update 2 Security Hotfix build 18.0.2.315 on Windows allows unauthenticated remote malicious users to read certain files via /Electron/download directory traversal. Files may have credentials, full backups, call recordings, and chat logs.
3cx 3cx
7.5
CVSSv3
CVE-2022-48483
3CX prior to 18 Hotfix 1 build 18.0.3.461 on Windows allows unauthenticated remote malicious users to read %WINDIR%\system32 files via /Electron/download directory traversal in conjunction with a path component that has a drive letter and uses backslash characters. NOTE: this iss...
3cx 3cx
9.8
CVSSv3
CVE-2023-49954
The CRM Integration in 3CX prior to 18.0.9.23 and 20 prior to 20.0.0.1494 allows SQL Injection via a first name, search string, or email address.
3cx 3cx
6.5
CVSSv3
CVE-2017-15359
In the 3CX Phone System 15.5.3554.1, the Management Console typically listens to port 5001 and is prone to a directory traversal attack: "/api/RecordingList/DownloadRecord?file=" and "/api/SupportInfo?file=" are the vulnerable parameters. An attacker must be a...
3cx 3cx 15.5.3554.1
1 EDB exploit
6.5
CVSSv3
CVE-2018-7654
On 3CX 15.5.6354.2 devices, the parameter "file" in the request "/api/RecordingList/download?file=" allows full access to files on the server via path traversal.
3cx 3cx 15.5.6354.2
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
NULL pointer dereference
CVE-2023-52689
CVE-2024-23803
client side
CVE-2023-52696
information disclosure
CVE-2024-35843
CVE-2024-27130
CVE-2023-52697
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
3
4
NEXT »