CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2021-45490
https://notcve.org/view.php?id=CVE-2021-45490
The client applications in 3CX on Windows, the 3CX app for iOS, and the 3CX application for Android through 2022-03-17 lack SSL certificate validation. Las aplicaciones cliente en 3CX en Windows, la aplicación 3CX para iOS, y la aplicación 3CX para Android versiones hasta 17-03-2022 carecen de comprobación de certificado SSL • https://packetstormsecurity.com/files/166376/3CX-Client-Missing-TLS-Validation.html https://www.3cx.com/community/forums/posts-articles-news • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2019-14935
https://notcve.org/view.php?id=CVE-2019-14935
3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link. Phone 15 de 3CX en Windows, presenta permisos no seguros en el directorio de instalación "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp", permitiendo acceso de Control total para Everyone y conlleva a una escalada de privilegios debido a un enlace StartUp. • https://www.3cx.com/community/threads/security-issue-with-3cx-windows-client-install.64432 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 1CVE-2019-13176
https://notcve.org/view.php?id=CVE-2019-13176
An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTTP, and outbound DNS). Se detecto un problema en la consola de administración del sistema telefónico 3CX (web) versiones 12.5.44178.1002 a 12.5 SP2. El componente Content.MainForm.wgx se ve afectado por XXE a través de un documento XML diseñado en datos POST. • https://www.logicallysecure.com/blog/3cx-phone-system-web-console-affected-by-xxe • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12498 – WP Live Chat Support <= 8.0.32 - Unprotected Functions
https://notcve.org/view.php?id=CVE-2019-12498
The WP Live Chat Support plugin before 8.0.33 for WordPress accepts certain REST API calls without invoking the wplc_api_permission_check protection mechanism. El plugin WP Live Chat Support versiones anteriores a 8.0.33 para WordPress, acepta determinadas llamadas de la API REST sin invocar el mecanismo de protección en la función wplc_api_permission_check. • https://plugins.trac.wordpress.org/changeset/2098577/wp-live-chat-support/trunk https://plugins.trac.wordpress.org/log/wp-live-chat-support https://wordpress.org/plugins/wp-live-chat-support/#developers • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14950 – WP Live Chat Support <= 8.0.27 - Unauthenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-14950
The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS via the GDPR page. El plugin wp-live-chat-support anterior a la versión 8.0.27 para WordPress tiene XSS a través de la página GDPR. • https://wordpress.org/plugins/wp-live-chat-support/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •