Vulnerabilities > 3CX > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-08-03 | CVE-2018-14905 | Cross-site Scripting vulnerability in 3CX web Server 15.5.8801.3 The Web server in 3CX version 15.5.8801.3 is vulnerable to Reflected XSS on the api/CallLog TimeZoneName parameter. | 6.1 |
| 2018-05-15 | CVE-2018-11105 | Cross-site Scripting vulnerability in 3CX Live Chat There is stored cross site scripting in the wp-live-chat-support plugin before 8.0.08 for WordPress via the "name" (aka wplc_name) and "email" (aka wplc_email) input fields to wp-json/wp_live_chat_support/v1/start_chat whenever a malicious attacker would initiate a new chat with an administrator. | 6.1 |
| 2018-04-09 | CVE-2018-9864 | Cross-site Scripting vulnerability in 3CX Live Chat The WP Live Chat Support plugin before 8.0.06 for WordPress has stored XSS via the Name field. | 6.1 |
| 2018-03-04 | CVE-2018-7654 | Path Traversal vulnerability in 3CX 15.5.6354.2 On 3CX 15.5.6354.2 devices, the parameter "file" in the request "/api/RecordingList/download?file=" allows full access to files on the server via path traversal. | 6.5 |
| 2017-10-18 | CVE-2017-15359 | Path Traversal vulnerability in 3CX 15.5.3554.1 In the 3CX Phone System 15.5.3554.1, the Management Console typically listens to port 5001 and is prone to a directory traversal attack: "/api/RecordingList/DownloadRecord?file=" and "/api/SupportInfo?file=" are the vulnerable parameters. | 6.5 |
| 2017-06-09 | CVE-2017-2187 | Cross-site Scripting vulnerability in 3CX Live Chat Cross-site scripting vulnerability in WP Live Chat Support prior to version 7.0.07 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 6.1 |