← Back to CVE List

CVE-2022-28005

Published: 2022-05-06T15:15Z
Last Modified: 2024-11-21T06:56Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
An issue was discovered in the 3CX Phone System Management Console prior to version 18 Update 3 FINAL. An unauthenticated attacker could abuse improperly secured access to arbitrary files on the server (via /Electron/download directory traversal in conjunction with a path component that uses backslash characters), leading to cleartext credential disclosure. Afterwards, the authenticated attacker is able to upload a file that overwrites a 3CX service binary, leading to Remote Code Execution as NT AUTHORITY\SYSTEM on Windows installations. NOTE: this issue exists because of an incomplete fix for CVE-2022-48482. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt