Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29379
HistoryMay 06, 2013 - 12:00 a.m.

VULNERABLE and COMPLETELY outdated 3rd-party libraries/components used in 3CX Phone 6

2013-05-0600:00:00
vulners.com
13
JSON

Hi @ll,

the current 3CXPhone6.msi (for Windows), available from
<http://www.3cx.com/VOIP/sip-phone/&gt;, digitally signed on 2012-07-30,
installs the following outdated and vulnerable 3rd-party libraries:

  • libeay32.dll and ssleay32.dll version 0.9.8h (from 2008-05-28)
    of OpenSSL.

    The current version of OpenSSL is 0.9.8y, see
    <http://www.openssl.org/&gt;, it fixes about 20 CVEs found in earlier
    versions downto 0.9.8h.

  • FFmpeg/FFdshow version 1.1.0

    The current version of FFmpeg/FFdshow is 1.2, see
    <http://www.ffmpeg.org/security.html&gt; for the 24 fixed CVEs since
    1.1.0.

Timeline:


2013-05-03    vendor informed

2013-05-05    vendor replied:
              &quot;3CX Phone is freeware, use another software&quot;

I second that: don&#39;t use software from 3CX!

2013-05-06    report published


Stefan Kanthak
JSON