CyberSec.Space Logo
Back to CVE Browser

CVE-2019-13176

HIGH
7.5
CVSS Severity Score
EPSS Score0.1680%
EPSS Percentile13.02th
PublishedAug 8, 2019
Last ModifiedNov 21, 2024

Vulnerability Description

An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTTP, and outbound DNS).

Affected Platforms (CPE)

📦
3cx

3cx

= 12.5
📦
3cx

3cx

= 12.5
📦
3cx

3cx

= 12.5.44178.1002

References & Advisories

🔗 https://www.logicallysecure.com/blog/3cx-phone-system-web-console-affected-by-xxe/
🔗 https://www.logicallysecure.com/blog/3cx-phone-system-web-console-affected-by-xxe/

Related Vulnerabilities

CVE-2021-454909.1

The client applications in 3CX on Windows, the 3CX app for iOS, and the 3CX application for Android through 2022-03-17 lack SSL ce...

CVE-2019-99728.8

PhoneSystem Terminal in 3CX Phone System (Debian based installation) 16.0.0.1570 allows an authenticated attacker to run arbitrary...

CVE-2019-99718.8

PhoneSystem Terminal in 3CX Phone System (Debian based installation) 16.0.0.1570 allows an attacker to gain root privileges by usi...

CVE-2019-149357.8

3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allo...