An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. An unauthenticated attacker could abuse improperly secured access to arbitrary files on the server (via /Electron/download directory traversal in conjunction with a path component that uses backslash characters), leading to cleartext credential disclosure. Afterwards, the authenticated attacker is able to upload a file that overwrites a 3CX service binary, leading to Remote Code Execution as NT AUTHORITY\SYSTEM on Windows installations. NOTE: this issue exists because of an incomplete fix for CVE-2022-48482.
References
Link | Resource |
---|---|
https://medium.com/%40frycos/pwning-3cx-phone-management-backends-from-the-internet-d0096339dd88 | |
https://www.3cx.com/blog/change-log/phone-system-change-log/ | Release Notes Vendor Advisory |
https://www.3cx.com/blog/releases/v18-security-hotfix/ | Release Notes Vendor Advisory |
https://www.3cx.com/blog/releases/v18-update-3-final/ | Release Notes Vendor Advisory |
Configurations
History
02 May 2023, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. An unauthenticated attacker could abuse improperly secured access to arbitrary files on the server (via /Electron/download directory traversal in conjunction with a path component that uses backslash characters), leading to cleartext credential disclosure. Afterwards, the authenticated attacker is able to upload a file that overwrites a 3CX service binary, leading to Remote Code Execution as NT AUTHORITY\SYSTEM on Windows installations. NOTE: this issue exists because of an incomplete fix for CVE-2022-48482. |
18 May 2022, 14:06
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://www.3cx.com/blog/releases/v18-update-3-final/ - Release Notes, Vendor Advisory | |
References | (MISC) https://www.3cx.com/blog/change-log/phone-system-change-log/ - Release Notes, Vendor Advisory | |
References | (MISC) https://www.3cx.com/blog/releases/v18-security-hotfix/ - Release Notes, Vendor Advisory | |
CWE | CWE-522 | |
CVSS |
v2 : v3 : |
v2 : 5.0
v3 : 9.8 |
CPE | cpe:2.3:a:3cx:3cx:*:*:*:*:*:*:*:* |
06 May 2022, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-05-06 15:15
Updated : 2024-02-04 22:29
NVD link : CVE-2022-28005
Mitre link : CVE-2022-28005
CVE.ORG link : CVE-2022-28005
JSON object : View
Products Affected
3cx
- 3cx
CWE
CWE-522
Insufficiently Protected Credentials