Threat Encyclopedia

Insecure Permissions Allowing Privilege Escalation for 3CXPhone

Description

3CX Phone 15 on Windows has insecure permissions on the \"%PROGRAMDATA%\\3CXPhone for Windows\\PhoneApp\" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link. And On 3CX 15.5.6354.2 devices, the parameter \"file\" in the request \"/api/RecordingList/download?file=\" allows full access to files on the server via path traversal.

Affected Products

3CXPhone

CVE References

CVE-2019-14935 CVE-2018-7654