12.5.44178.1002

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

3cx

CWE-611

NVD

Published: 2019-08-08

Updated: 2019-08-28

Summary

An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTTP, and outbound DNS).

Vulnerable Configurations

Part	Description	Count
Application	3Cx 3CX 3CX 12.5.44178.1002 3CX 3CX 12.5	3

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://www.logicallysecure.com/blog/3cx-phone-system-web-console-affected-by-xxe/