CVE-2021-45491: 
3CX 3CXPhone vulnerability analysis and mitigation

3CX System, through version 2022-03-17, contained a security vulnerability where passwords were stored in cleartext format within its database (NVD, CVE).

The vulnerability has been assigned CVE-2021-45491 and received a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-312 (Cleartext Storage of Sensitive Information) (NVD).

The storage of passwords in cleartext format could potentially expose user credentials if unauthorized access to the database was obtained. While administrative rights were required to access these passwords, the practice was considered insecure (Register).

3CX addressed this issue by implementing password hashing in subsequent updates. The fix was specifically applied to the Web Client login, though some passwords (SIP auth ID and password, SIP trunk and gateway passwords, and tunnel passwords) remained unhashed for backward compatibility reasons (Register).

The vulnerability was acknowledged by 3CX CEO Nick Galea, who confirmed the implementation of password hashing as a security improvement. He noted that while the previous storage method wasn't completely insecure due to admin rights requirements, it wasn't considered good practice (Register).