Vulnerabilities > 3CX
|2023-05-02||CVE-2022-48482|| Path Traversal vulnerability in 3CX |
3CX before 18 Update 2 Security Hotfix build 188.8.131.525 on Windows allows unauthenticated remote attackers to read certain files via /Electron/download directory traversal.
| 7.5 |
|2023-05-02||CVE-2022-48483|| Path Traversal vulnerability in 3CX |
3CX before 18 Hotfix 1 build 184.108.40.2061 on Windows allows unauthenticated remote attackers to read %WINDIR%\system32 files via /Electron/download directory traversal in conjunction with a path component that has a drive letter and uses backslash characters.
| 7.5 |
|2022-06-07||CVE-2019-9971|| Improper Privilege Management vulnerability in multiple products |
PhoneSystem Terminal in 3CX Phone System (Debian based installation) 220.127.116.110 allows an attacker to gain root privileges by using sudo with the tcpdump command, without a password.
| 9.0 |
|2022-06-07||CVE-2019-9972|| Command Injection vulnerability in multiple products |
PhoneSystem Terminal in 3CX Phone System (Debian based installation) 18.104.22.1680 allows an authenticated attacker to run arbitrary commands with the phonesystem user privileges because of "<space><space> followed by <shift><enter>" mishandling.
| 9.0 |
|2022-06-06||CVE-2022-27438|| Download of Code Without Integrity Check vulnerability in multiple products |
Caphyon Ltd Advanced Installer 19.3 and earlier and many products that use the updater from Advanced Installer (Advanced Updater) are affected by a remote code execution vulnerability via the CustomDetection parameter in the update check function.
| 8.1 |
|2022-05-06||CVE-2022-28005|| Insufficiently Protected Credentials vulnerability in 3CX |
An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL.
| 9.8 |
|2022-03-28||CVE-2021-45490|| Improper Certificate Validation vulnerability in 3CX |
The client applications in 3CX on Windows, the 3CX app for iOS, and the 3CX application for Android through 2022-03-17 lack SSL certificate validation.
| 6.4 |
|2022-03-28||CVE-2021-45491|| Cleartext Storage of Sensitive Information vulnerability in 3CX |
3CX System through 2022-03-17 stores cleartext passwords in a database.
| 4.0 |
|2020-03-20||CVE-2019-12498|| Missing Authorization vulnerability in 3CX Live Chat |
The WP Live Chat Support plugin before 8.0.33 for WordPress accepts certain REST API calls without invoking the wplc_api_permission_check protection mechanism.
| 7.5 |
|2019-08-22||CVE-2014-10386|| Injection vulnerability in 3CX Live Chat |
| 6.1 |