Vulnerabilities > 3CX
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-12-25 | CVE-2023-49954 | SQL Injection vulnerability in 3CX The CRM Integration in 3CX before 18.0.9.23 and 20 before 20.0.0.1494 allows SQL Injection via a first name, search string, or email address. | 9.8 |
| 2023-05-02 | CVE-2022-48482 | Path Traversal vulnerability in 3CX 3CX before 18 Update 2 Security Hotfix build 18.0.2.315 on Windows allows unauthenticated remote attackers to read certain files via /Electron/download directory traversal. | 7.5 |
| 2023-05-02 | CVE-2022-48483 | Path Traversal vulnerability in 3CX 3CX before 18 Hotfix 1 build 18.0.3.461 on Windows allows unauthenticated remote attackers to read %WINDIR%\system32 files via /Electron/download directory traversal in conjunction with a path component that has a drive letter and uses backslash characters. | 7.5 |
| 2023-03-30 | CVE-2023-29059 | Unspecified vulnerability in 3CX 3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. | 7.8 |
| 2022-06-07 | CVE-2019-9971 | Improper Privilege Management vulnerability in multiple products PhoneSystem Terminal in 3CX Phone System (Debian based installation) 16.0.0.1570 allows an attacker to gain root privileges by using sudo with the tcpdump command, without a password. | 8.8 |
| 2022-06-07 | CVE-2019-9972 | Command Injection vulnerability in multiple products PhoneSystem Terminal in 3CX Phone System (Debian based installation) 16.0.0.1570 allows an authenticated attacker to run arbitrary commands with the phonesystem user privileges because of "<space><space> followed by <shift><enter>" mishandling. | 8.8 |
| 2022-06-06 | CVE-2022-27438 | Download of Code Without Integrity Check vulnerability in multiple products Caphyon Ltd Advanced Installer 19.3 and earlier and many products that use the updater from Advanced Installer (Advanced Updater) are affected by a remote code execution vulnerability via the CustomDetection parameter in the update check function. network high complexity caphyon realdefense prusa3d plagiarismcheckerx vigem nefarius moonsoftware getmailbird krylack jpsoft jki honeygain guzogo gamecaster gainedge fxsound freesnippingtool flamory emeditor codesector boom 3cx vpnhood vrdesktop urban-vpn xsplit rovio synaptics rstinstruments CWE-494 | 8.1 |
| 2022-05-06 | CVE-2022-28005 | Insufficiently Protected Credentials vulnerability in 3CX An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. | 9.8 |
| 2022-03-28 | CVE-2021-45490 | Improper Certificate Validation vulnerability in 3CX The client applications in 3CX on Windows, the 3CX app for iOS, and the 3CX application for Android through 2022-03-17 lack SSL certificate validation. | 9.1 |
| 2022-03-28 | CVE-2021-45491 | Cleartext Storage of Sensitive Information vulnerability in 3CX 3CX System through 2022-03-17 stores cleartext passwords in a database. | 6.5 |