Vulnerabilities > 3CX
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-10-18 | CVE-2018-18460 | Cross-site Scripting vulnerability in 3CX Live Chat 8.0.15 XSS exists in the wp-live-chat-support v8.0.15 plugin for WordPress via the modules/gdpr.php term parameter in a wp-admin/admin.php wplivechat-menu-gdpr-page request. | 6.1 |
| 2018-08-03 | CVE-2018-14907 | Information Exposure Through an Error Message vulnerability in 3CX web Server 15.5.8801.3 The Web server in 3CX version 15.5.8801.3 is vulnerable to Information Leakage, because of improper error handling in Stack traces, as demonstrated by discovering a full pathname. | 5.3 |
| 2018-08-03 | CVE-2018-14906 | Cross-site Scripting vulnerability in 3CX web Server 15.5.8801.3 The Web server in 3CX version 15.5.8801.3 is vulnerable to Reflected XSS on all stack traces' propertyPath parameters. | 6.1 |
| 2018-08-03 | CVE-2018-14905 | Cross-site Scripting vulnerability in 3CX web Server 15.5.8801.3 The Web server in 3CX version 15.5.8801.3 is vulnerable to Reflected XSS on the api/CallLog TimeZoneName parameter. | 6.1 |
| 2018-07-02 | CVE-2018-12426 | Unrestricted Upload of File with Dangerous Type vulnerability in 3CX Live Chat The WP Live Chat Support Pro plugin before 8.0.07 for WordPress is vulnerable to unauthenticated Remote Code Execution due to client-side validation of allowed file types, as demonstrated by a v1/remote_upload request with a .php filename and the image/jpeg content type. | 9.8 |
| 2018-05-15 | CVE-2018-11105 | Cross-site Scripting vulnerability in 3CX Live Chat There is stored cross site scripting in the wp-live-chat-support plugin before 8.0.08 for WordPress via the "name" (aka wplc_name) and "email" (aka wplc_email) input fields to wp-json/wp_live_chat_support/v1/start_chat whenever a malicious attacker would initiate a new chat with an administrator. | 6.1 |
| 2018-04-09 | CVE-2018-9864 | Cross-site Scripting vulnerability in 3CX Live Chat The WP Live Chat Support plugin before 8.0.06 for WordPress has stored XSS via the Name field. | 6.1 |
| 2018-03-04 | CVE-2018-7654 | Path Traversal vulnerability in 3CX 15.5.6354.2 On 3CX 15.5.6354.2 devices, the parameter "file" in the request "/api/RecordingList/download?file=" allows full access to files on the server via path traversal. | 6.5 |
| 2017-10-18 | CVE-2017-15359 | Path Traversal vulnerability in 3CX 15.5.3554.1 In the 3CX Phone System 15.5.3554.1, the Management Console typically listens to port 5001 and is prone to a directory traversal attack: "/api/RecordingList/DownloadRecord?file=" and "/api/SupportInfo?file=" are the vulnerable parameters. | 6.5 |
| 2017-06-09 | CVE-2017-2187 | Cross-site Scripting vulnerability in 3CX Live Chat Cross-site scripting vulnerability in WP Live Chat Support prior to version 7.0.07 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 6.1 |