Vulnerabilities > 3CX > 3CX > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-03-28 | CVE-2021-45490 | Improper Certificate Validation vulnerability in 3CX The client applications in 3CX on Windows, the 3CX app for iOS, and the 3CX application for Android through 2022-03-17 lack SSL certificate validation. | 6.4 |
| 2022-03-28 | CVE-2021-45491 | Cleartext Storage of Sensitive Information vulnerability in 3CX 3CX System through 2022-03-17 stores cleartext passwords in a database. | 4.0 |
| 2019-08-12 | CVE-2019-14935 | Incorrect Permission Assignment for Critical Resource vulnerability in 3CX 15 3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link. | 4.6 |
| 2019-08-08 | CVE-2019-13176 | XXE vulnerability in 3CX 12.5/12.5.44178.1002 An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. | 5.0 |
| 2018-03-04 | CVE-2018-7654 | Path Traversal vulnerability in 3CX 15.5.6354.2 On 3CX 15.5.6354.2 devices, the parameter "file" in the request "/api/RecordingList/download?file=" allows full access to files on the server via path traversal. | 4.0 |
| 2017-10-18 | CVE-2017-15359 | Path Traversal vulnerability in 3CX 15.5.3554.1 In the 3CX Phone System 15.5.3554.1, the Management Console typically listens to port 5001 and is prone to a directory traversal attack: "/api/RecordingList/DownloadRecord?file=" and "/api/SupportInfo?file=" are the vulnerable parameters. | 4.0 |