VoIP powerhouse 3CX urges deactivation of SQL database integrations

Major voice-over IP software provider 3CX has issued a security advisory urging the immediate deactivation of SQL database integrations through PostgreSQL, MySQL, MsSQL, and MongoDB due to security risks stemming from a vulnerability, which was later confirmed to be an SQL injection flaw within the software's CRM integration with SQL databases, BleepingComputer reports. Only 3CX VoIP software versions 18 and 20 are affected by the flaw, according to 3CX Chief Information Security Officer Pierre Jourdan, who reassured that the issue does not impact all web-based CRM integrations. "If you're using an SQL Database integration it's subject potentially to a vulnerability depending upon the configuration. As a precautionary measure, and whilst we work on a fix, please follow the instructions below to disable it," said Jourdan. Such a warning from 3CX comes after North Korean hacking operation UNC4736 targeted the 3CXDesktopApp Electron-based desktop client in a supply chain attack earlier this year.