3cx

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-9913 13cx 1Live Chat Nov 21, 2024 Mar 22, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The wp-live-chat-support plugin before 8.0.18 for WordPress has wp-admin/admin.php?page=wplivechat-menu-gdpr-page term XSS.
CVE-2018-18460 13cx 1Live Chat Nov 21, 2024 Oct 18, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 XSS exists in the wp-live-chat-support v8.0.15 plugin for WordPress via the modules/gdpr.php term parameter in a wp-admin/admin.php wplivechat-menu-gdpr-page request.
CVE-2018-14907 13cx 13cx Web Server Nov 21, 2024 Aug 3, 2018 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 The Web server in 3CX version 15.5.8801.3 is vulnerable to Information Leakage, because of improper error handling in Stack traces, as demonstrated by discovering a full pathname.
CVE-2018-14906 13cx 13cx Web Server Nov 21, 2024 Aug 3, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The Web server in 3CX version 15.5.8801.3 is vulnerable to Reflected XSS on all stack traces' propertyPath parameters.
CVE-2018-14905 13cx 13cx Web Server Nov 21, 2024 Aug 3, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The Web server in 3CX version 15.5.8801.3 is vulnerable to Reflected XSS on the api/CallLog TimeZoneName parameter.
CVE-2018-12426 13cx 1Live Chat Nov 21, 2024 Jul 2, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The WP Live Chat Support Pro plugin before 8.0.07 for WordPress is vulnerable to unauthenticated Remote Code Execution due to client-side validation of allowed file types, as demonstrated by a v1/remote_upload request wi...Show more The WP Live Chat Support Pro plugin before 8.0.07 for WordPress is vulnerable to unauthenticated Remote Code Execution due to client-side validation of allowed file types, as demonstrated by a v1/remote_upload request with a .php filename and the image/jpeg content type.Show less
CVE-2018-11105 13cx 1Live Chat Nov 21, 2024 May 15, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 There is stored cross site scripting in the wp-live-chat-support plugin before 8.0.08 for WordPress via the "name" (aka wplc_name) and "email" (aka wplc_email) input fields to wp-json/wp_live_chat_support/v1/start_chat w...Show more There is stored cross site scripting in the wp-live-chat-support plugin before 8.0.08 for WordPress via the "name" (aka wplc_name) and "email" (aka wplc_email) input fields to wp-json/wp_live_chat_support/v1/start_chat whenever a malicious attacker would initiate a new chat with an administrator. NOTE: this issue exists because of an incomplete fix for CVE-2018-9864.Show less
CVE-2018-9864 13cx 1Live Chat Nov 21, 2024 Apr 9, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The WP Live Chat Support plugin before 8.0.06 for WordPress has stored XSS via the Name field.
CVE-2018-7654 13cx 13cx Nov 21, 2024 Mar 4, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 On 3CX 15.5.6354.2 devices, the parameter "file" in the request "/api/RecordingList/download?file=" allows full access to files on the server via path traversal.
CVE-2017-15359 13cx 13cx May 13, 2026 Oct 18, 2017 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 In the 3CX Phone System 15.5.3554.1, the Management Console typically listens to port 5001 and is prone to a directory traversal attack: "/api/RecordingList/DownloadRecord?file=" and "/api/SupportInfo?file=" are the vuln...Show more In the 3CX Phone System 15.5.3554.1, the Management Console typically listens to port 5001 and is prone to a directory traversal attack: "/api/RecordingList/DownloadRecord?file=" and "/api/SupportInfo?file=" are the vulnerable parameters. An attacker must be authenticated to exploit this issue to access sensitive information to aid in subsequent attacks.Show less
CVE-2017-2187 13cx 1Live Chat May 13, 2026 Jun 9, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting vulnerability in WP Live Chat Support prior to version 7.0.07 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2008-6896 13cx 1Phone System Apr 23, 2026 Aug 3, 2009 N/A· v4 N/A· v3 5.0 MEDIUM· v2 login.php in 3CX Phone System 6.0.806.0, when 100% disk capacity is reached, allows remote attackers to gain sensitive information via unspecified vectors that reveal the installation path.
CVE-2008-6895 13cx 1Phone System Apr 23, 2026 Aug 3, 2009 N/A· v4 N/A· v3 7.8 HIGH· v2 3CX Phone System 6.0.806.0 allows remote attackers to cause a denial of service (unstable service or crash) via unspecified vectors, as demonstrated by vulnerability scans from Nessus or SAINT.
CVE-2008-6894 13cx 1Phone System Apr 23, 2026 Aug 3, 2009 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in login.php in 3CX Phone System Free Edition 6.1793 and 6.0.806.0 allow remote attackers to inject arbitrary web script or HTML via the (1) fName and (2) fPassword par...Show more Multiple cross-site scripting (XSS) vulnerabilities in login.php in 3CX Phone System Free Edition 6.1793 and 6.0.806.0 allow remote attackers to inject arbitrary web script or HTML via the (1) fName and (2) fPassword parameters.Show less

Previous 12