Skip to main content

3Cx

7 CVEs product

Monthly

CVE-2023-49954 CRITICAL Act Now

The CRM Integration in 3CX before 18.0.9.23 and 20 before 20.0.0.1494 allows SQL Injection via a first name, search string, or email address. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi 3Cx
NVD
CVSS 3.1
9.8
EPSS
2.2%
CVE-2023-29059 HIGH POC This Week

3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Apple Microsoft 3Cx
NVD
CVSS 3.1
7.8
EPSS
4.4%
CVE-2022-28005 CRITICAL Act Now

An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Microsoft Path Traversal 3Cx
NVD
CVSS 3.1
9.8
EPSS
6.1%
CVE-2019-14935 HIGH POC This Week

3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allowing Full Control access for Everyone, and leading to privilege. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Microsoft 3Cx
NVD
CVSS 3.0
7.8
EPSS
0.4%
CVE-2019-13176 HIGH POC This Week

An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE SSRF 3Cx
NVD
CVSS 3.0
7.5
EPSS
2.5%
CVE-2018-7654 MEDIUM This Month

On 3CX 15.5.6354.2 devices, the parameter "file" in the request "/api/RecordingList/download?file=" allows full access to files on the server via path traversal. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal 3Cx
NVD
CVSS 3.0
6.5
EPSS
2.4%
CVE-2017-15359 MEDIUM POC THREAT This Month

In the 3CX Phone System 15.5.3554.1, the Management Console typically listens to port 5001 and is prone to a directory traversal attack: "/api/RecordingList/DownloadRecord?file=" and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 10.4%.

Path Traversal 3Cx
NVD Exploit-DB
CVSS 3.0
6.5
EPSS
10.4%
EPSS 2% CVSS 9.8
CRITICAL Act Now

The CRM Integration in 3CX before 18.0.9.23 and 20 before 20.0.0.1494 allows SQL Injection via a first name, search string, or email address. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi 3Cx
NVD
EPSS 4% CVSS 7.8
HIGH POC This Week

3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Apple Microsoft +1
NVD
EPSS 6% CVSS 9.8
CRITICAL Act Now

An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Microsoft Path Traversal +1
NVD
EPSS 0% CVSS 7.8
HIGH POC This Week

3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allowing Full Control access for Everyone, and leading to privilege. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Microsoft 3Cx
NVD
EPSS 2% CVSS 7.5
HIGH POC This Week

An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE SSRF 3Cx
NVD
EPSS 2% CVSS 6.5
MEDIUM This Month

On 3CX 15.5.6354.2 devices, the parameter "file" in the request "/api/RecordingList/download?file=" allows full access to files on the server via path traversal. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal 3Cx
NVD
EPSS 10% CVSS 6.5
MEDIUM POC THREAT This Month

In the 3CX Phone System 15.5.3554.1, the Management Console typically listens to port 5001 and is prone to a directory traversal attack: "/api/RecordingList/DownloadRecord?file=" and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 10.4%.

Path Traversal 3Cx
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy