CVE-2023-49954.github.io

SQL Injection in 3CX CRM Integration

For the CRM integration, 3CX ships templates for connecting to various databases.
In these templates, placeholders ([FirstName],[SearchText],[Email]) are used to populate the queries.
User input is not sanitized and thus enables SQL injections.

Affected Versions

Affected CRM Solutions

https://www.3cx.com/docs/sql-database-pbx-integration/

Timeline

Fix

3CX will soon provide a hotfix (18.0.9.23, 20.0.0.1494) which fixes the issue, until then the only option is to deactivate the CRM integration by setting the CRM solution to None (see blog post for illustrated instructions).

Attack Vectors

The CRM integration queries are executed at various points, e.g. when creating or searching contacts in the WebClient and even the public LiveChat API.
Below are two examples.

WebClient (authenticated)

LiveChat API (unauthenticated)