CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2019-13176

HIGH
7.5
CVSS Severity Score
EPSS Score0.1680%
EPSS Percentile13.02th
Published2019年8月8日
Last Modified2024年11月21日

Vulnerability Description

An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTTP, and outbound DNS).

Affected Platforms (CPE)

📦
3cx

3cx

= 12.5
📦
3cx

3cx

= 12.5
📦
3cx

3cx

= 12.5.44178.1002

References & Advisories

🔗 https://www.logicallysecure.com/blog/3cx-phone-system-web-console-affected-by-xxe/
🔗 https://www.logicallysecure.com/blog/3cx-phone-system-web-console-affected-by-xxe/

相關漏洞威脅

CVE-2021-454909.1

The client applications in 3CX on Windows, the 3CX app for iOS, and the 3CX application for Android through 2022-03-17 lack SSL ce...

CVE-2019-99728.8

PhoneSystem Terminal in 3CX Phone System (Debian based installation) 16.0.0.1570 allows an authenticated attacker to run arbitrary...

CVE-2019-99718.8

PhoneSystem Terminal in 3CX Phone System (Debian based installation) 16.0.0.1570 allows an attacker to gain root privileges by usi...

CVE-2019-149357.8

3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allo...