Wiz
Vulnerability DatabaseCVE-2023-49954

CVE-2023-49954
3CX 3CXPhone vulnerability analysis and mitigation

Overview

The CRM Integration in 3CX versions before 18.0.9.23 and 20 before 20.0.0.1494 contains a critical SQL Injection vulnerability (CVE-2023-49954). The vulnerability allows attackers to perform SQL injection attacks via a first name, search string, or email address in the CRM integration templates used for connecting to various databases (CVE Details, Security Online).

Technical details

The vulnerability exists in the CRM integration templates that use placeholders ([FirstName], [SearchText], [Email]) to populate database queries. These templates fail to properly sanitize user input when connecting to databases like MongoDB, MsSQL, MySQL, and PostgreSQL. The vulnerability has received a CVSS v3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its severe nature (NVD).

Impact

The SQL injection vulnerability could allow attackers to manipulate database queries and potentially access or corrupt valuable data. According to 3CX's CISO Pierre Jourdan, approximately 0.25% of 3CX's user base (minimum of 875 customers) could be affected by this vulnerability. The attack vectors include both authenticated WebClient access and unauthenticated LiveChat API endpoints (Bleeping Computer).

Mitigation and workarounds

Until the release of the hotfix (versions 18.0.9.23 and 20.0.0.1494), 3CX recommends customers disable CRM integration by setting the CRM solution to 'None'. This is currently the only viable workaround to protect against potential SQL injection attacks. The vulnerability specifically affects SQL Database Templates (MsSQL, MySQL, PostgreSQL), while customers using MongoDB or web-based CRM integration templates are not affected (Bleeping Computer).

Community reactions

The vulnerability was initially discovered by independent security researcher Theo Stein on October 11, 2023. Despite multiple attempts to contact 3CX through various channels, including CERT/CC, the company did not acknowledge the vulnerability until December 15, 2023. This delayed response has raised concerns in the security community about 3CX's vulnerability disclosure handling (Bleeping Computer).

Additional resources

SourceThis report was generated using AI

Related 3CX 3CXPhone vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2023-49954CRITICAL9.8
  • 3CX 3CXPhone3CX 3CXPhone
  • cpe:2.3:a:3cx:3cx
NoYesDec 25, 2023
CVE-2023-27362HIGH7.8
  • 3CX 3CXPhone3CX 3CXPhone
  • cpe:2.3:a:3cx:3cx
NoYesMay 03, 2024
CVE-2023-29059HIGH7.8
  • 3CX 3CXPhone3CX 3CXPhone
  • cpe:2.3:a:3cx:3cx
NoYesMar 30, 2023
CVE-2022-48483HIGH7.5
  • 3CX 3CXPhone3CX 3CXPhone
  • cpe:2.3:a:3cx:3cx
NoYesMay 02, 2023
CVE-2022-48482HIGH7.5
  • 3CX 3CXPhone3CX 3CXPhone
  • cpe:2.3:a:3cx:3cx
NoYesMay 02, 2023

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo