CVE-2019-13176
HIGH3CX Phone System Management Console - XML External Entity Injection
Title source: manualDescription
An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTTP, and outbound DNS).
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.logicallysecure.com/blog/3cx-phone-system-web-console-affected-by-xxe/
Scores
CVSS v3
7.5
EPSS
0.0246
EPSS Percentile
82.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-611
Status
published
Products (2)
3cx/3cx
12.5 sp1 (2 CPE variants)
3cx/3cx
12.5.44178.1002
Published
Aug 08, 2019
Tracked Since
Feb 18, 2026