CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-49954
https://notcve.org/view.php?id=CVE-2023-49954
The CRM Integration in 3CX before 18.0.9.23 and 20 before 20.0.0.1494 allows SQL Injection via a first name, search string, or email address. La integración de CRM en 3CX anterior a 18.0.9.23 y 20 anterior a 20.0.0.1494 permite la inyección SQL a través de un nombre, cadena de búsqueda o dirección de correo electrónico. • https://github.com/CVE-2023-49954/CVE-2023-49954.github.io https://cve-2023-49954.github.io • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 4CVE-2023-29059
https://notcve.org/view.php?id=CVE-2023-29059
3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.407 and 18.12.416 of the 3CX DesktopApp Electron Windows application shipped in Update 7, and versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 of the 3CX DesktopApp Electron macOS application. • https://cwe.mitre.org/data/definitions/506.html https://news.sophos.com/en-us/2023/03/29/3cx-dll-sideloading-attack https://www.3cx.com/blog/news/desktopapp-security-alert https://www.crowdstrike.com/blog/crowdstrike-detects-and-prevents-active-intrusion-campaign-targeting-3cxdesktopapp-customers https://www.fortinet.com/blog/threat-research/3cx-desktop-app-compromised https://www.huntress.com/blog/3cx-voip-software-compromise-supply-chain-threats •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-45491
https://notcve.org/view.php?id=CVE-2021-45491
3CX System through 2022-03-17 stores cleartext passwords in a database. El Sistema 3CX versiones hasta 17-03-2022, almacena contraseñas en texto sin cifrar en una base de datos • http://packetstormsecurity.com/files/166386/3CX-Phone-System-Cleartext-Passwords.html https://www.3cx.com/community/forums/posts-articles-news • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2021-45490
https://notcve.org/view.php?id=CVE-2021-45490
The client applications in 3CX on Windows, the 3CX app for iOS, and the 3CX application for Android through 2022-03-17 lack SSL certificate validation. Las aplicaciones cliente en 3CX en Windows, la aplicación 3CX para iOS, y la aplicación 3CX para Android versiones hasta 17-03-2022 carecen de comprobación de certificado SSL • https://packetstormsecurity.com/files/166376/3CX-Client-Missing-TLS-Validation.html https://www.3cx.com/community/forums/posts-articles-news • CWE-295: Improper Certificate Validation •