Major voice-over IP software provider 3CX has issued a security advisory urging the immediate deactivation of SQL database integrations through PostgreSQL, MySQL, MsSQL, and MongoDB due to security risks stemming from a vulnerability, which was later confirmed to be an SQL injection flaw within the software's CRM integration with SQL databases, BleepingComputer reports.
Only 3CX VoIP software versions 18 and 20 are affected by the flaw, according to 3CX Chief Information Security Officer Pierre Jourdan, who reassured that the issue does not impact all web-based CRM integrations. "If you're using an SQL Database integration it's subject potentially to a vulnerability depending upon the configuration. As a precautionary measure, and whilst we work on a fix, please follow the instructions below to disable it," said Jourdan. Such a warning from 3CX comes after North Korean hacking operation UNC4736 targeted the 3CXDesktopApp Electron-based desktop client in a supply chain attack earlier this year.
New variants of the QBot malware, also known as Qakbot, have emerged since mid-December despite having been disrupted in August, suggesting continuous testing by the malware developer, BleepingComputer reports.
More than $10 billion in fraud-related losses were reported by U.S. consumers for the first time in 2023, representing a 14% growth over 2022, even though the number of individuals who reported being targeted by fraud held steady at over 2.6 million, BleepingComputer reports.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news