First published: Sun Aug 11 2019(Updated: )
3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA%\3CXPhone for Windows\PhoneApp" installation directory, allowing Full Control access for Everyone, and leading to privilege escalation because of a StartUp link.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
3CX 3CX | =15 | |
Microsoft Windows |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2019-14935.
The severity of CVE-2019-14935 is high with a severity value of 7.8.
CVE-2019-14935 affects 3CX Phone 15 on Windows by having insecure permissions on the %PROGRAMDATA%\3CXPhone for Windows\PhoneApp installation directory, allowing Full Control access for Everyone, which can lead to privilege escalation.
To fix the insecure permissions on the installation directory, the access control list (ACL) for the directory should be modified to restrict access to authorized users only.
Yes, more information about CVE-2019-14935 can be found at the following reference: [link](https://www.3cx.com/community/threads/security-issue-with-3cx-windows-client-install.64432/)