Sign-up

ID

VAR-202308-3003


CVE

CVE-2023-27362


TITLE

3CX  of  3cx  Vulnerability regarding uncontrolled search path elements in

Trust: 0.8

sources: JVNDB: JVNDB-2023-029652

DESCRIPTION

3CX Uncontrolled Search Path Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of 3CX. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of OpenSSL. The product loads an OpenSSL configuration file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-20026. 3CX of 3cx Exists in a vulnerability in an element of an uncontrolled search path.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 2.25

sources: NVD: CVE-2023-27362 // JVNDB: JVNDB-2023-029652 // ZDI: ZDI-23-1153

AFFECTED PRODUCTS

vendor:3cxmodel:3cxscope: - version: -

Trust: 1.5

vendor:3cxmodel:3cxscope:ltversion:18.0.8.917

Trust: 1.0

vendor:3cxmodel:3cxscope:gteversion:18.0.0.451

Trust: 1.0

vendor:3cxmodel:3cxscope:eqversion: -

Trust: 0.8

vendor:3cxmodel:3cxscope:eqversion:18.0.0.451 that's all 18.0.8.917

Trust: 0.8

sources: ZDI: ZDI-23-1153 // JVNDB: JVNDB-2023-029652 // NVD: CVE-2023-27362

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com: CVE-2023-27362
value: HIGH

Trust: 1.0

nvd@nist.gov: CVE-2023-27362
value: HIGH

Trust: 1.0

NVD: CVE-2023-27362
value: HIGH

Trust: 0.8

ZDI: CVE-2023-27362
value: CRITICAL

Trust: 0.7

zdi-disclosures@trendmicro.com: CVE-2023-27362
baseSeverity: HIGH
baseScore: 7.0
vectorString: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.0
impactScore: 5.9
version: 3.0

Trust: 1.0

nvd@nist.gov: CVE-2023-27362
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2023-27362
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2023-27362
baseSeverity: CRITICAL
baseScore: 7.0
vectorString: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.0
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-23-1153 // JVNDB: JVNDB-2023-029652 // NVD: CVE-2023-27362 // NVD: CVE-2023-27362

PROBLEMTYPE DATA

problemtype:CWE-427

Trust: 1.0

problemtype:Uncontrolled search path elements (CWE-427) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-029652 // NVD: CVE-2023-27362

PATCH

title:3CX has issued an update to correct this vulnerability.url:https://www.3cx.com/blog/releases/v18-u8/

Trust: 0.7

sources: ZDI: ZDI-23-1153

EXTERNAL IDS

db:NVDid:CVE-2023-27362

Trust: 3.3

db:ZDIid:ZDI-23-1153

Trust: 2.5

db:JVNDBid:JVNDB-2023-029652

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-20026

Trust: 0.7

sources: ZDI: ZDI-23-1153 // JVNDB: JVNDB-2023-029652 // NVD: CVE-2023-27362

REFERENCES

url:https://www.3cx.com/blog/releases/v18-u8/

Trust: 2.5

url:https://www.zerodayinitiative.com/advisories/zdi-23-1153/

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2023-27362

Trust: 0.8

sources: ZDI: ZDI-23-1153 // JVNDB: JVNDB-2023-029652 // NVD: CVE-2023-27362

CREDITS

Xavier DANEST

Trust: 0.7

sources: ZDI: ZDI-23-1153

SOURCES

db:ZDIid:ZDI-23-1153
db:JVNDBid:JVNDB-2023-029652
db:NVDid:CVE-2023-27362

LAST UPDATE DATE

2025-08-15T23:22:07.014000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-23-1153date:2023-08-21T00:00:00
db:JVNDBid:JVNDB-2023-029652date:2025-08-14T07:03:00
db:NVDid:CVE-2023-27362date:2025-08-13T00:00:55.333

SOURCES RELEASE DATE

db:ZDIid:ZDI-23-1153date:2023-08-21T00:00:00
db:JVNDBid:JVNDB-2023-029652date:2025-08-14T00:00:00
db:NVDid:CVE-2023-27362date:2024-05-03T02:15:14.350