Edward Amaral Toledano

**Name of the Vulnerable Software and Affected Versions** 3CX Phone system (web) management console versions 12.5.44178.1002 through 12.5 SP2 **Description** An issue was discovered in the management console, where the Content.MainForm.wgx component is affected by an XML External Entity (XXE) vulnerability via a crafted XML document in POST data. This could potentially be used for Server-Side Request Forgery (SSRF), allowing for the reading of local files, outbound HTTP requests, and outbound DNS queries. **Recommendations** For versions 12.5.44178.1002 through 12.5 SP2, consider disabling the Content.MainForm.wgx component as a temporary workaround until a patch is available. Restrict access to the management console to minimize the risk of exploitation. Avoid using crafted XML documents in POST data to the affected component until the issue is resolved.