CVE-2019-13176

An issue was discovered in the 3CX Phone system (web) management console 12.5.44178.1002 through 12.5 SP2. The Content.MainForm.wgx component is affected by XXE via a crafted XML document in POST data. There is potential to use this for SSRF (reading local files, outbound HTTP, and outbound DNS).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 58%
VendorProductVersion
3cx3cx
12.5:sp1
3cx3cx
12.5:sp2
3cx3cx
12.5.44178.1002
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.logicallysecure.com/blog/3cx-phone-system-web-console-affected-by-xxe/
https://www.logicallysecure.com/blog/3cx-phone-system-web-console-affected-by-xxe/