CVE-2021-45490: 
3CX 3CXPhone vulnerability analysis and mitigation

The client applications in 3CX on Windows, the 3CX app for iOS, and the 3CX application for Android through 2022-03-17 lack SSL certificate validation (NVD, CVE). The vulnerability was assigned CVE-2021-45490 and was discovered in December 2021.

The vulnerability has been assigned a CVSS v3.1 Base Score of 9.1 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). The vulnerability is related to improper certificate validation (CWE-295) in the client applications, affecting multiple platforms including Windows, iOS and Android versions through March 17, 2022 (NVD).

The lack of SSL certificate validation could allow attackers to intercept and manipulate communications between the client and server, potentially leading to information disclosure and integrity breaches. The vulnerability affects confidentiality and integrity of communications, though availability is not impacted (NVD).

Users should upgrade to versions released after March 17, 2022, which include proper SSL certificate validation. The vulnerability affects the following versions: 3CX for Windows (legacy) versions up to 2022-03-17, 3CX for iOS versions up to 18.0.4, and 3CX for Android versions up to 18.0.11 (NVD).