On 3CX 15.5.6354.2 devices, the parameter "file" in the request "/api/RecordingList/download?file=" allows full access to files on the server via path traversal.
References
Link | Resource |
---|---|
http://www.rootlabs.com.br/path-traversal-in-3cx/ | Third Party Advisory |
https://medium.com/stolabs/path-traversal-in-3cx-7421a8ffdb7a | Third Party Advisory |
Configurations
History
No history.
Information
Published : 2018-03-04 01:29
Updated : 2024-02-04 19:46
NVD link : CVE-2018-7654
Mitre link : CVE-2018-7654
CVE.ORG link : CVE-2018-7654
JSON object : View
Products Affected
3cx
- 3cx
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')