Home/Product/3cx live chat
Product

3cx live chat

34 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2023-27362
>= 18.0.0.451 and < 18.0.8.917
3CX Uncontrolled Search Path Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privi
7.8HIGH
 CVE-2023-49954
< 18.0.9.23
The CRM Integration in 3CX before 18.0.9.23 and 20 before 20.0.0.1494 allows SQL Injection via a first name, search string, or ema
9.8CRITICAL
 CVE-2022-48483
< 18.0.3.461
3CX before 18 Hotfix 1 build 18.0.3.461 on Windows allows unauthenticated remote attackers to read %WINDIR%\system32 files via /El
7.5HIGH
 CVE-2022-48482
< 18.0.2.315
3CX before 18 Update 2 Security Hotfix build 18.0.2.315 on Windows allows unauthenticated remote attackers to read certain files v
7.5HIGH
 CVE-2023-29059
all versions
3CX DesktopApp through 18.12.416 has embedded malicious code, as exploited in the wild in March 2023. This affects versions 18.12.
7.8HIGH
 CVE-2019-9972
all versions
PhoneSystem Terminal in 3CX Phone System (Debian based installation) 16.0.0.1570 allows an authenticated attacker to run arbitrary
8.8HIGH
 CVE-2019-9971
all versions
PhoneSystem Terminal in 3CX Phone System (Debian based installation) 16.0.0.1570 allows an attacker to gain root privileges by usi
8.8HIGH
 CVE-2022-27438
all versions
Caphyon Ltd Advanced Installer 19.3 and earlier and many products that use the updater from Advanced Installer (Advanced Updater)
8.1HIGH
 CVE-2022-28005
<= 18.0.3.450
An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. An unauthenticated attacker
9.8CRITICAL
 CVE-2021-45491
<= 2022-03-17
3CX System through 2022-03-17 stores cleartext passwords in a database.
6.5MEDIUM
 CVE-2021-45490
<= 18.0.11
The client applications in 3CX on Windows, the 3CX app for iOS, and the 3CX application for Android through 2022-03-17 lack SSL ce
9.1CRITICAL
 CVE-2019-12498
< 8.0.33
The WP Live Chat Support plugin before 8.0.33 for WordPress accepts certain REST API calls without invoking the wplc_api_permissio
9.8CRITICAL
 CVE-2014-10386
< 4.1.0
The wp-live-chat-support plugin before 4.1.0 for WordPress has JavaScript injections.
6.1MEDIUM
 CVE-2017-18507
< 7.1.05
The wp-live-chat-support plugin before 7.1.05 for WordPress has XSS.
6.1MEDIUM
 CVE-2019-14950
< 8.0.27
The wp-live-chat-support plugin before 8.0.27 for WordPress has XSS via the GDPR page.
6.1MEDIUM
 CVE-2017-18508
< 7.1.03
The wp-live-chat-support plugin before 7.1.03 for WordPress has XSS.
6.1MEDIUM
 CVE-2016-10879
< 6.2.02
The wp-live-chat-support plugin before 6.2.02 for WordPress has XSS.
6.1MEDIUM
 CVE-2019-14935
all versions
3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allo
7.8HIGH
 CVE-2019-13176
all versions
An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wg
7.5HIGH
 CVE-2019-11185
< 8.0.26
The WP Live Chat Support Pro plugin through 8.0.26 for WordPress contains an arbitrary file upload vulnerability. This results fro
9.8CRITICAL
 CVE-2019-9913
< 8.0.18
The wp-live-chat-support plugin before 8.0.18 for WordPress has wp-admin/admin.php?page=wplivechat-menu-gdpr-page term XSS.
6.1MEDIUM
 CVE-2018-18460
all versions
XSS exists in the wp-live-chat-support v8.0.15 plugin for WordPress via the modules/gdpr.php term parameter in a wp-admin/admin.ph
6.1MEDIUM
 CVE-2018-14907
all versions
The Web server in 3CX version 15.5.8801.3 is vulnerable to Information Leakage, because of improper error handling in Stack traces
5.3MEDIUM
 CVE-2018-14906
all versions
The Web server in 3CX version 15.5.8801.3 is vulnerable to Reflected XSS on all stack traces' propertyPath parameters.
6.1MEDIUM
 CVE-2018-14905
all versions
The Web server in 3CX version 15.5.8801.3 is vulnerable to Reflected XSS on the api/CallLog TimeZoneName parameter.
6.1MEDIUM
 CVE-2018-12426
< 8.0.07
The WP Live Chat Support Pro plugin before 8.0.07 for WordPress is vulnerable to unauthenticated Remote Code Execution due to clie
9.8CRITICAL
 CVE-2018-11105
< 8.0.08
There is stored cross site scripting in the wp-live-chat-support plugin before 8.0.08 for WordPress via the "name" (aka wplc_name)
6.1MEDIUM
 CVE-2018-9864
< 8.0.06
The WP Live Chat Support plugin before 8.0.06 for WordPress has stored XSS via the Name field.
6.1MEDIUM
 CVE-2018-7654
all versions
On 3CX 15.5.6354.2 devices, the parameter "file" in the request "/api/RecordingList/download?file=" allows full access to files on
6.5MEDIUM
 CVE-2017-15359
all versions
In the 3CX Phone System 15.5.3554.1, the Management Console typically listens to port 5001 and is prone to a directory traversal a
6.5MEDIUM
 CVE-2017-2187
<= 7.0.06
Cross-site scripting vulnerability in WP Live Chat Support prior to version 7.0.07 allows remote attackers to inject arbitrary web
6.1MEDIUM
 CVE-2008-6896
all versions
login.php in 3CX Phone System 6.0.806.0, when 100% disk capacity is reached, allows remote attackers to gain sensitive information
 CVE-2008-6895
all versions
3CX Phone System 6.0.806.0 allows remote attackers to cause a denial of service (unstable service or crash) via unspecified vector
 CVE-2008-6894
all versions
Multiple cross-site scripting (XSS) vulnerabilities in login.php in 3CX Phone System Free Edition 6.1793 and 6.0.806.0 allow remot
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin