CVE-2022-48482: 
3CX 3CXPhone vulnerability analysis and mitigation

3CX before 18 Update 2 Security Hotfix build 18.0.2.315 on Windows allowed unauthenticated remote attackers to read certain files via /Electron/download directory traversal. The vulnerability could expose sensitive information including credentials, full backups, call recordings, and chat logs (NVD).

The vulnerability existed in the ManagementConsoleJS.Provisioning.ElectronController class, specifically in the Download method accessible via /download/{platform}/{file} endpoint. The issue stemmed from improper validation of user-controlled parameters in Path.Combine() calls, allowing directory traversal attacks. Attackers could exploit this by using Windows backslash character as directory separator, which nginx would forward unmodified (Medium Blog).

The vulnerability allowed attackers to access sensitive files within C:\ProgramData\3CX\Instance1\Data and its subdirectories. This included access to credentials stored in cleartext, chat logs, call recordings, and complete backups of the 3CX installation (Medium Blog).

The vulnerability was patched in 3CX Version 18, Update 2 Security Hotfix, Build 18.0.2.315 released in February 2022. The fix introduced checks through Utilities.IsVulnerablePath(file) to validate file paths and prevent directory traversal attacks (3CX Changelog).