VoIP communications company 3CX announced a hotfix for an SQL Injection vulnerability affecting 3CX versions 18 and 20.
Tracked as CVE-2023-49954, the flaw exists due to insufficient sanitization of user-supplied data within 3CX CRM Integration. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database. Successful exploitation of this vulnerability may allow a remote attacker to read, delete, and modify data in database and gain complete control over the affected application.
Last week, the company warned customers to disable SQL database integrations due to risks associated with CVE-2023-49954 until the patch is available.
“If one of the Integration templates has been used (MsSQL, MySQL, PostgreSQL) they can be subject to SQL injection attacks if the 3CX server is available on the internet and no Web application firewall is in front of the 3CX machine. In that case it is possible to manipulate the original SQL query executed against a database,” the vendor wrote in a security advisory.
“Only the above-mentioned SQL Database Templates are affected (MsSQL, MySQL, PostgreSQL) and none of the other web CRM templates. Customers using MongoDB or any of our web based CRM integration templates are not affected by this.”
In March 2023, the enterprise phone company revealed that its 3CXDesktopApp Electron-based desktop client had been modified by a North Korean threat actor known as UNC4736 and Labyrinth Chollima to compromise the networks of 3CX’s customers.
