CVE-2023-49954

Name of the Vulnerable Software and Affected Versions 3CX versions prior to 18.0.9.23 3CX versions 20 prior to 20.0.0.1494

Description The issue is related to a SQL Injection vulnerability in the CRM Integration of 3CX. This vulnerability can be exploited via a first name, search string, or email address, allowing a remote attacker to execute arbitrary SQL queries. The vulnerability is due to the lack of protection of the SQL query structure.

Recommendations For 3CX versions prior to 18.0.9.23, update to version 18.0.9.23 or later to resolve the issue. For 3CX versions 20 prior to 20.0.0.1494, update to version 20.0.0.1494 or later to resolve the issue. As a temporary workaround, consider disabling the SQL Database Integrations to minimize the risk of exploitation.