Search criteria
33 vulnerabilities found for x2crm by x2engine
FKIE_CVE-2024-48120
Vulnerability from fkie_nvd - Published: 2024-10-14 14:15 - Updated: 2024-10-29 20:57
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Summary
X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting (XSS) in the "Opportunities" module. An attacker can inject malicious JavaScript code into the "Name" field when creating a list.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://okankurtulus.com.tr/2024/09/12/x2crm-v8-5-stored-cross-site-scripting-xss-authenticated/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:x2engine:x2crm:8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7D3A8BCC-7431-4545-8B68-38979A8B0C1A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting (XSS) in the \"Opportunities\" module. An attacker can inject malicious JavaScript code into the \"Name\" field when creating a list."
},
{
"lang": "es",
"value": "X2CRM v8.5 es vulnerable a un ataque Cross-Site Scripting (XSS) almacenado en el m\u00f3dulo \"Oportunidades\". Un atacante puede inyectar c\u00f3digo JavaScript malicioso en el campo \"Nombre\" al crear una lista."
}
],
"id": "CVE-2024-48120",
"lastModified": "2024-10-29T20:57:53.360",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 3.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-10-14T14:15:11.780",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://okankurtulus.com.tr/2024/09/12/x2crm-v8-5-stored-cross-site-scripting-xss-authenticated/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2021-33853
Vulnerability from fkie_nvd - Published: 2022-03-16 15:15 - Updated: 2024-11-21 06:09
Severity ?
Summary
A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted website. As the vehicle for the attack, the application targets the users and not the application itself. Additionally, the XSS payload is executed when the user attempts to access any page of the CRM.
References
| URL | Tags | ||
|---|---|---|---|
| disclose@cybersecurityworks.com | https://cybersecurityworks.com/zerodays/cve-2021-33853-stored-cross-site-scripting-in-x2crm.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cybersecurityworks.com/zerodays/cve-2021-33853-stored-cross-site-scripting-in-x2crm.html | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:x2engine:x2crm:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AFC3B1A3-7188-4562-AD4F-C9284F82246B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user\u2019s browser while the browser is connected to a trusted website. As the vehicle for the attack, the application targets the users and not the application itself. Additionally, the XSS payload is executed when the user attempts to access any page of the CRM."
},
{
"lang": "es",
"value": "Un ataque de tipo Cross-Site Scripting (XSS) puede causar una ejecuci\u00f3n de c\u00f3digo arbitrario (javascript) en el navegador de un usuario mientras el navegador est\u00e1 conectado a un sitio web confiable. Como veh\u00edculo para el ataque, la aplicaci\u00f3n es dirigida a usuarios y no a la propia aplicaci\u00f3n. Adem\u00e1s, la carga \u00fatil de tipo XSS es ejecutada cuando el usuario intenta acceder a cualquier p\u00e1gina del CRM.\n"
}
],
"id": "CVE-2021-33853",
"lastModified": "2024-11-21T06:09:42.087",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-16T15:15:10.217",
"references": [
{
"source": "disclose@cybersecurityworks.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33853-stored-cross-site-scripting-in-x2crm.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33853-stored-cross-site-scripting-in-x2crm.html"
}
],
"sourceIdentifier": "disclose@cybersecurityworks.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "disclose@cybersecurityworks.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-21087
Vulnerability from fkie_nvd - Published: 2021-04-14 14:15 - Updated: 2024-11-21 05:12
Severity ?
Summary
Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the "New Name" field of the "Rename a Module" tool.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/X2Engine/X2CRM/issues/162 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/X2Engine/X2CRM/issues/162 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:x2engine:x2crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83D6B813-5205-4EE3-BB5D-C6BB62F18A8C",
"versionEndIncluding": "6.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the \"New Name\" field of the \"Rename a Module\" tool."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross Site Scripting (XSS) en X2engine X2CRM versiones v6.9 y anteriores, permite a atacantes remotos ejecutar c\u00f3digo arbitrario al inyectar c\u00f3digo web o HTML arbitrario por medio del campo \"New Name\" de la herramienta \"Rename a Module\""
}
],
"id": "CVE-2020-21087",
"lastModified": "2024-11-21T05:12:25.477",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-14T14:15:13.147",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/X2Engine/X2CRM/issues/162"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/X2Engine/X2CRM/issues/162"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-21088
Vulnerability from fkie_nvd - Published: 2021-04-14 14:15 - Updated: 2024-11-21 05:12
Severity ?
Summary
Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "First Name" and "Last Name" fields in "/index.php/contacts/create page"
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/X2Engine/X2CRM/issues/161 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/X2Engine/X2CRM/issues/183 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/X2Engine/X2CRM/issues/161 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/X2Engine/X2CRM/issues/183 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:x2engine:x2crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E857D0EB-324B-4501-9AA1-966454FEFF3A",
"versionEndIncluding": "7.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the \"First Name\" and \"Last Name\" fields in \"/index.php/contacts/create page\""
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross Site Scripting (XSS) en X2engine X2CRM versiones v7.1 y anteriores, permite a atacantes remotos obtener informaci\u00f3n confidencial al inyectar un script web o HTML arbitrario por medio de los campos \"First Name\" y \"Last Name\" en \"/index.php/contacts/create page\""
}
],
"id": "CVE-2020-21088",
"lastModified": "2024-11-21T05:12:25.627",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-14T14:15:13.210",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/X2Engine/X2CRM/issues/161"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/X2Engine/X2CRM/issues/183"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/X2Engine/X2CRM/issues/161"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/X2Engine/X2CRM/issues/183"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-27288
Vulnerability from fkie_nvd - Published: 2021-04-14 14:15 - Updated: 2024-11-21 05:57
Severity ?
Summary
Cross Site Scripting (XSS) in X2Engine X2CRM v7.1 allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "Comment" field in "/profile/activity" page.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/X2Engine/X2CRM/issues/183 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/X2Engine/X2CRM/issues/183 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:x2engine:x2crm:7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0EC1EFA1-2C2E-4B7A-B8D4-7A30FD3BA2CE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) in X2Engine X2CRM v7.1 allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the \"Comment\" field in \"/profile/activity\" page."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross Site Scripting (XSS) en X2Engine X2CRM versi\u00f3n v7.1, permite a atacantes remotos obtener informaci\u00f3n confidencial al inyectar un script web o HTML arbitrario por medio del campo \"\"Comment\" en la p\u00e1gina \"/profile/activity\""
}
],
"id": "CVE-2021-27288",
"lastModified": "2024-11-21T05:57:45.377",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-04-14T14:15:13.710",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/X2Engine/X2CRM/issues/183"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/X2Engine/X2CRM/issues/183"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-2664
Vulnerability from fkie_nvd - Published: 2017-10-17 15:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://karmainsecurity.com/KIS-2014-04 | Third Party Advisory | |
| cve@mitre.org | http://secunia.com/advisories/57315 | Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/66506/discuss | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/92169 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://secuniaresearch.flexerasoftware.com//secunia_research/2014-4 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://karmainsecurity.com/KIS-2014-04 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/57315 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/66506/discuss | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/92169 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://secuniaresearch.flexerasoftware.com//secunia_research/2014-4 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:x2engine:x2crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "23D7A12D-9F73-4AA8-AE24-16FC34A60370",
"versionEndIncluding": "3.7.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory."
},
{
"lang": "es",
"value": "Vulnerabilidad de subida de archivos sin restricci\u00f3n en el m\u00e9todo ProfileController::actionUploadPhoto en protected/controllers/ProfileController.php en X2Engine X2CRM en versiones anteriores a la 4.0 permite que atacantes remotos ejecuten c\u00f3digo arbitrario mediante la subida de un archivo con una extensi\u00f3n ejecutable y, a continuaci\u00f3n, acceder a \u00e9ste por medio de una petici\u00f3n directa al archivo en un directorio sin especificar."
}
],
"id": "CVE-2014-2664",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-17T15:29:00.230",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://karmainsecurity.com/KIS-2014-04"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/57315"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/66506/discuss"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92169"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://secuniaresearch.flexerasoftware.com//secunia_research/2014-4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://karmainsecurity.com/KIS-2014-04"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/57315"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/66506/discuss"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92169"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://secuniaresearch.flexerasoftware.com//secunia_research/2014-4"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-5076
Vulnerability from fkie_nvd - Published: 2015-09-29 19:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) version parameter in protected/views/admin/formEditor.php; the (2) importId parameter in protected/views/admin/rollbackImport.php; the (3) bc, (4) fg, (5) bgc, or (6) font parameter in protected/views/site/listener.php; the (7) Services[*] parameter in protected/components/views/webForm.php; the (8) file parameter in protected/components/TranslationManager.php; the (9) x2_key parameter in protected/tests/webscripts/x2WebTrackingTestPages/customWebLeadCaptureScriptTest.php; the (10) id parameter in protected/modules/contacts/controllers/ContactsController.php; or the (11) lastEventId parameter to index.php/profile/getEvents.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:x2engine:x2crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F97F1853-9245-47B1-9670-FD15641F129A",
"versionEndIncluding": "5.0.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) version parameter in protected/views/admin/formEditor.php; the (2) importId parameter in protected/views/admin/rollbackImport.php; the (3) bc, (4) fg, (5) bgc, or (6) font parameter in protected/views/site/listener.php; the (7) Services[*] parameter in protected/components/views/webForm.php; the (8) file parameter in protected/components/TranslationManager.php; the (9) x2_key parameter in protected/tests/webscripts/x2WebTrackingTestPages/customWebLeadCaptureScriptTest.php; the (10) id parameter in protected/modules/contacts/controllers/ContactsController.php; or the (11) lastEventId parameter to index.php/profile/getEvents."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en X2Engine X2CRM en versiones anteriores a 5.0.9, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del par\u00e1metro (1) version en protected/views/admin/formEditor.php; (2) importld en protected/views/admin/rollbackImport.php; (3) bc, (4) fg. (5) bgc o (6) font en protected/views/site/listener.php; (7) Services[*] en protected/components/views/webForm.php; (8) file en protected/components/TranslationManager.php; (9) x2_key en protected/tests/webscripts/x2WebTrackingTestPages/customWebLeadCaptureScriptTest.php; (10) id en protected/modules/contacts/controllers/ContactsController.php; o (11) lastEventld a index.php/profile/getEvents."
}
],
"id": "CVE-2015-5076",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-09-29T19:59:04.513",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/133716/X2Engine-4.2-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/Sep/91"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/536545/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5076/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/133716/X2Engine-4.2-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/Sep/91"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/536545/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5076/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-5075
Vulnerability from fkie_nvd - Published: 2015-09-29 19:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:x2engine:x2crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "17131BA3-9934-4931-A4D6-E0AD5E275AE9",
"versionEndIncluding": "5.0.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create."
},
{
"lang": "es",
"value": "Vulnerabilidad de CSRF en X2Engine X2CRM en versiones anteriores a 5.2, permite a atacantes remotos secuestrar la autenticaci\u00f3n de administradores debido a peticiones que crean una cuenta administrativa a trav\u00e9s de una petici\u00f3n a index.php/users/create manipulada."
}
],
"id": "CVE-2015-5075",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-09-29T19:59:03.357",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/133718/X2Engine-4.2-Cross-Site-Request-Forgery.html"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2015/Sep/93"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/536547/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/38321/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5075/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/133718/X2Engine-4.2-Cross-Site-Request-Forgery.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2015/Sep/93"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/536547/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/38321/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5075/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-5074
Vulnerability from fkie_nvd - Published: 2015-09-29 19:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:x2engine:x2crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F97F1853-9245-47B1-9670-FD15641F129A",
"versionEndIncluding": "5.0.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension."
},
{
"lang": "es",
"value": "Vulnerabilidad de lista negra incompleta en la clase FileUploadsFilter en protected/components/filters/FileUploadsFilter.php en X2Engine X2CRM en versiones anteriores a 5.0.9, permite a usuarios remotos autenticados ejecutar c\u00f3digo PHP arbitrario mediante la subida de un archivo con una extensi\u00f3n .pht."
}
],
"id": "CVE-2015-5074",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-09-29T19:59:02.013",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/133717/X2Engine-4.2-Arbitrary-File-Upload.html"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2015/Sep/92"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/536546/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8#diff-26a90fcab2707d6ef509fccb3588790f"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/38323/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/133717/X2Engine-4.2-Arbitrary-File-Upload.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2015/Sep/92"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/536546/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8#diff-26a90fcab2707d6ef509fccb3588790f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/38323/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2013-5693
Vulnerability from fkie_nvd - Published: 2013-09-30 22:55 - Updated: 2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in X2Engine X2CRM before 3.5 allows remote attackers to inject arbitrary web script or HTML via the model parameter to index.php/admin/editor.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| x2engine | x2crm | * | |
| x2engine | x2crm | 1.0 | |
| x2engine | x2crm | 1.0.1 | |
| x2engine | x2crm | 1.1.0 | |
| x2engine | x2crm | 1.2.0 | |
| x2engine | x2crm | 1.2.1 | |
| x2engine | x2crm | 1.2.2 | |
| x2engine | x2crm | 1.3 | |
| x2engine | x2crm | 1.3.1 | |
| x2engine | x2crm | 2.2 | |
| x2engine | x2crm | 2.2.1 | |
| x2engine | x2crm | 2.5 | |
| x2engine | x2crm | 2.5.2 | |
| x2engine | x2crm | 2.7 | |
| x2engine | x2crm | 2.7.1 | |
| x2engine | x2crm | 2.7.2 | |
| x2engine | x2crm | 2.8 | |
| x2engine | x2crm | 2.8.1 | |
| x2engine | x2crm | 2.9 | |
| x2engine | x2crm | 2.9.1 | |
| x2engine | x2crm | 3.0 | |
| x2engine | x2crm | 3.0.1 | |
| x2engine | x2crm | 3.0.2 | |
| x2engine | x2crm | 3.1 | |
| x2engine | x2crm | 3.1.1 | |
| x2engine | x2crm | 3.1.2 | |
| x2engine | x2crm | 3.2 | |
| x2engine | x2crm | 3.3 | |
| x2engine | x2crm | 3.3.1 | |
| x2engine | x2crm | 3.3.2 | |
| x2engine | x2crm | 3.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:x2engine:x2crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FAD0FC2A-1253-4C27-9A45-7C797EC52BA6",
"versionEndIncluding": "3.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F1F10229-1516-4ED2-8E65-C1A000F8EEEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E5EF6CD-930D-48D6-AE6C-8F1433B3D021",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "31A7F920-44DB-400D-B84D-6A64AFE70BD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "596DDF4A-B22C-413A-B41F-1183046DD831",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D9771CF2-8C08-4147-9E44-64A590EBCEAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4F2BDA4B-C347-4C49-B940-149841454359",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAB347DC-9333-4ECB-ABB9-EC7E59AA7E31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5A92D478-5E59-4C92-BD99-98D1FC1A4B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1B05231F-5C57-4105-A69F-25F51DFCD58C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "51F86330-C908-429F-A522-D97C1B3981B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "B599DA8D-4569-486C-A8E2-E08C42B2E5F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F070F679-FC7F-422E-944A-14EF7D378076",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "208B7059-7833-4C31-A0DF-2DC56F89AE9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "81BD755D-8EA9-4317-87FA-24C625D00C1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "819478F6-FA43-42AA-AB06-A15CD6DBB133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "079D2C90-5703-4D49-B390-3057C7FF8199",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2705E4E2-B68F-4832-A38B-A36E35A489C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B6F25400-6F39-4A1F-8236-3315D750C3A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "00B5664F-0F36-4A6A-95D0-129FD48C22A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A26C792C-5ADC-4198-9CAF-A0A646762BF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "950D1064-0A35-43DC-9689-8271569443F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "15FB2970-1E63-45FF-9F31-3B160FE7A666",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8225BA6B-1BE9-4DA6-9096-6130C5CBC95E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C8B55831-A7D4-4CC3-804F-B567E0BFA57F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9DE9DBF9-1EAF-4244-BD9B-CC6006D508F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B44587FD-04E4-46FB-9FD4-C220416C7651",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "12AF094B-C661-4607-B7F8-7BA47CC33530",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0F911992-7092-4ABF-ADA3-B88E248D9FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BD6347DD-E19B-406A-A120-38AF358C9B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BACA9AEE-DDE1-4DF2-8ABC-EBC0D6793570",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in X2Engine X2CRM before 3.5 allows remote attackers to inject arbitrary web script or HTML via the model parameter to index.php/admin/editor."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-site scripting (XSS) en X2Engine X2CRM anterior a 3.5 permite a atacantes remotos inyectar scripts web arbitrarios o HMTL a trav\u00e9s del modelo par\u00e1metro a index.php/admin/editor."
}
],
"id": "CVE-2013-5693",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-09-30T22:55:05.027",
"references": [
{
"source": "cve@mitre.org",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-09/0117.html"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/97366"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/28557"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/HTB23172"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-09/0117.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/97366"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/28557"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.htbridge.com/advisory/HTB23172"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2013-5692
Vulnerability from fkie_nvd - Published: 2013-09-30 22:55 - Updated: 2025-04-11 00:51
Severity ?
Summary
Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php/admin/translationManager.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| x2engine | x2crm | * | |
| x2engine | x2crm | 1.0 | |
| x2engine | x2crm | 1.0.1 | |
| x2engine | x2crm | 1.1.0 | |
| x2engine | x2crm | 1.2.0 | |
| x2engine | x2crm | 1.2.1 | |
| x2engine | x2crm | 1.2.2 | |
| x2engine | x2crm | 1.3 | |
| x2engine | x2crm | 1.3.1 | |
| x2engine | x2crm | 2.2 | |
| x2engine | x2crm | 2.2.1 | |
| x2engine | x2crm | 2.5 | |
| x2engine | x2crm | 2.5.2 | |
| x2engine | x2crm | 2.7 | |
| x2engine | x2crm | 2.7.1 | |
| x2engine | x2crm | 2.7.2 | |
| x2engine | x2crm | 2.8 | |
| x2engine | x2crm | 2.8.1 | |
| x2engine | x2crm | 2.9 | |
| x2engine | x2crm | 2.9.1 | |
| x2engine | x2crm | 3.0 | |
| x2engine | x2crm | 3.0.1 | |
| x2engine | x2crm | 3.0.2 | |
| x2engine | x2crm | 3.1 | |
| x2engine | x2crm | 3.1.1 | |
| x2engine | x2crm | 3.1.2 | |
| x2engine | x2crm | 3.2 | |
| x2engine | x2crm | 3.3 | |
| x2engine | x2crm | 3.3.1 | |
| x2engine | x2crm | 3.3.2 | |
| x2engine | x2crm | 3.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:x2engine:x2crm:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FAD0FC2A-1253-4C27-9A45-7C797EC52BA6",
"versionEndIncluding": "3.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F1F10229-1516-4ED2-8E65-C1A000F8EEEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6E5EF6CD-930D-48D6-AE6C-8F1433B3D021",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "31A7F920-44DB-400D-B84D-6A64AFE70BD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "596DDF4A-B22C-413A-B41F-1183046DD831",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D9771CF2-8C08-4147-9E44-64A590EBCEAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4F2BDA4B-C347-4C49-B940-149841454359",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FAB347DC-9333-4ECB-ABB9-EC7E59AA7E31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5A92D478-5E59-4C92-BD99-98D1FC1A4B04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1B05231F-5C57-4105-A69F-25F51DFCD58C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "51F86330-C908-429F-A522-D97C1B3981B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "B599DA8D-4569-486C-A8E2-E08C42B2E5F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F070F679-FC7F-422E-944A-14EF7D378076",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "208B7059-7833-4C31-A0DF-2DC56F89AE9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "81BD755D-8EA9-4317-87FA-24C625D00C1D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "819478F6-FA43-42AA-AB06-A15CD6DBB133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "079D2C90-5703-4D49-B390-3057C7FF8199",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2705E4E2-B68F-4832-A38B-A36E35A489C1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B6F25400-6F39-4A1F-8236-3315D750C3A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:2.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "00B5664F-0F36-4A6A-95D0-129FD48C22A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A26C792C-5ADC-4198-9CAF-A0A646762BF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "950D1064-0A35-43DC-9689-8271569443F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "15FB2970-1E63-45FF-9F31-3B160FE7A666",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8225BA6B-1BE9-4DA6-9096-6130C5CBC95E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C8B55831-A7D4-4CC3-804F-B567E0BFA57F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9DE9DBF9-1EAF-4244-BD9B-CC6006D508F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B44587FD-04E4-46FB-9FD4-C220416C7651",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "12AF094B-C661-4607-B7F8-7BA47CC33530",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0F911992-7092-4ABF-ADA3-B88E248D9FA1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BD6347DD-E19B-406A-A120-38AF358C9B24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:x2engine:x2crm:3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BACA9AEE-DDE1-4DF2-8ABC-EBC0D6793570",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php/admin/translationManager."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en X2Engine X2CRM anterior a 3.5 permite a administradores autenticados remotamente a\u00f1adir y ejecutar archivos locales de su elecci\u00f3n a trav\u00e9s de..(punto punto) en el par\u00e1metro file de index.php/admin/translationManager.\n"
}
],
"id": "CVE-2013-5692",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-09-30T22:55:04.977",
"references": [
{
"source": "cve@mitre.org",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-09/0117.html"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/97365"
},
{
"source": "cve@mitre.org",
"url": "http://www.exploit-db.com/exploits/28557"
},
{
"source": "cve@mitre.org",
"url": "https://www.htbridge.com/advisory/HTB23172"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-09/0117.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/97365"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.exploit-db.com/exploits/28557"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.htbridge.com/advisory/HTB23172"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-48120 (GCVE-0-2024-48120)
Vulnerability from cvelistv5 – Published: 2024-10-14 00:00 – Updated: 2024-10-15 15:22
VLAI?
Summary
X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting (XSS) in the "Opportunities" module. An attacker can inject malicious JavaScript code into the "Name" field when creating a list.
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:x2engine:x2crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "x2crm",
"vendor": "x2engine",
"versions": [
{
"status": "affected",
"version": "8.5"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-48120",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T15:20:59.274535Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:22:16.044Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting (XSS) in the \"Opportunities\" module. An attacker can inject malicious JavaScript code into the \"Name\" field when creating a list."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-14T13:44:47.510534",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://okankurtulus.com.tr/2024/09/12/x2crm-v8-5-stored-cross-site-scripting-xss-authenticated/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-48120",
"datePublished": "2024-10-14T00:00:00",
"dateReserved": "2024-10-08T00:00:00",
"dateUpdated": "2024-10-15T15:22:16.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33853 (GCVE-0-2021-33853)
Vulnerability from cvelistv5 – Published: 2022-03-16 14:03 – Updated: 2024-08-04 00:05
VLAI?
Summary
A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted website. As the vehicle for the attack, the application targets the users and not the application itself. Additionally, the XSS payload is executed when the user attempts to access any page of the CRM.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:05:51.624Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33853-stored-cross-site-scripting-in-x2crm.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "X2CRM",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user\u2019s browser while the browser is connected to a trusted website. As the vehicle for the attack, the application targets the users and not the application itself. Additionally, the XSS payload is executed when the user attempts to access any page of the CRM."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-16T14:03:37",
"orgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
"shortName": "CSW"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33853-stored-cross-site-scripting-in-x2crm.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "disclose@cybersecurityworks.com",
"ID": "CVE-2021-33853",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "X2CRM",
"version": {
"version_data": [
{
"version_value": "8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user\u2019s browser while the browser is connected to a trusted website. As the vehicle for the attack, the application targets the users and not the application itself. Additionally, the XSS payload is executed when the user attempts to access any page of the CRM."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cybersecurityworks.com/zerodays/cve-2021-33853-stored-cross-site-scripting-in-x2crm.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33853-stored-cross-site-scripting-in-x2crm.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
"assignerShortName": "CSW",
"cveId": "CVE-2021-33853",
"datePublished": "2022-03-16T14:03:37",
"dateReserved": "2021-06-04T00:00:00",
"dateUpdated": "2024-08-04T00:05:51.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-21088 (GCVE-0-2020-21088)
Vulnerability from cvelistv5 – Published: 2021-04-14 13:49 – Updated: 2024-08-04 14:22
VLAI?
Summary
Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "First Name" and "Last Name" fields in "/index.php/contacts/create page"
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:22:25.554Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/X2Engine/X2CRM/issues/161"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/X2Engine/X2CRM/issues/183"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the \"First Name\" and \"Last Name\" fields in \"/index.php/contacts/create page\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-14T13:49:44",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/X2Engine/X2CRM/issues/161"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/X2Engine/X2CRM/issues/183"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-21088",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the \"First Name\" and \"Last Name\" fields in \"/index.php/contacts/create page\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/X2Engine/X2CRM/issues/161",
"refsource": "MISC",
"url": "https://github.com/X2Engine/X2CRM/issues/161"
},
{
"name": "https://github.com/X2Engine/X2CRM/issues/183",
"refsource": "MISC",
"url": "https://github.com/X2Engine/X2CRM/issues/183"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-21088",
"datePublished": "2021-04-14T13:49:44",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:22:25.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-21087 (GCVE-0-2020-21087)
Vulnerability from cvelistv5 – Published: 2021-04-14 13:49 – Updated: 2024-08-04 14:22
VLAI?
Summary
Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the "New Name" field of the "Rename a Module" tool.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:22:25.524Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/X2Engine/X2CRM/issues/162"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the \"New Name\" field of the \"Rename a Module\" tool."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-14T13:49:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/X2Engine/X2CRM/issues/162"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-21087",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the \"New Name\" field of the \"Rename a Module\" tool."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/X2Engine/X2CRM/issues/162",
"refsource": "MISC",
"url": "https://github.com/X2Engine/X2CRM/issues/162"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-21087",
"datePublished": "2021-04-14T13:49:30",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:22:25.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27288 (GCVE-0-2021-27288)
Vulnerability from cvelistv5 – Published: 2021-04-14 13:48 – Updated: 2024-08-03 20:48
VLAI?
Summary
Cross Site Scripting (XSS) in X2Engine X2CRM v7.1 allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "Comment" field in "/profile/activity" page.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:48:16.759Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/X2Engine/X2CRM/issues/183"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) in X2Engine X2CRM v7.1 allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the \"Comment\" field in \"/profile/activity\" page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-14T13:48:25",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/X2Engine/X2CRM/issues/183"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-27288",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS) in X2Engine X2CRM v7.1 allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the \"Comment\" field in \"/profile/activity\" page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/X2Engine/X2CRM/issues/183",
"refsource": "MISC",
"url": "https://github.com/X2Engine/X2CRM/issues/183"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-27288",
"datePublished": "2021-04-14T13:48:25",
"dateReserved": "2021-02-16T00:00:00",
"dateUpdated": "2024-08-03T20:48:16.759Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2664 (GCVE-0-2014-2664)
Vulnerability from cvelistv5 – Published: 2017-10-17 15:00 – Updated: 2024-08-06 10:21
VLAI?
Summary
Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:21:36.019Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "x2crm-cve20142664-file-upload(92169)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92169"
},
{
"name": "57315",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57315"
},
{
"name": "66506",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/66506/discuss"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://secuniaresearch.flexerasoftware.com//secunia_research/2014-4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://karmainsecurity.com/KIS-2014-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-03-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-17T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "x2crm-cve20142664-file-upload(92169)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92169"
},
{
"name": "57315",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57315"
},
{
"name": "66506",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/66506/discuss"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://secuniaresearch.flexerasoftware.com//secunia_research/2014-4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://karmainsecurity.com/KIS-2014-04"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2664",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "x2crm-cve20142664-file-upload(92169)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92169"
},
{
"name": "57315",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57315"
},
{
"name": "66506",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/66506/discuss"
},
{
"name": "https://secuniaresearch.flexerasoftware.com//secunia_research/2014-4",
"refsource": "MISC",
"url": "https://secuniaresearch.flexerasoftware.com//secunia_research/2014-4"
},
{
"name": "http://karmainsecurity.com/KIS-2014-04",
"refsource": "MISC",
"url": "http://karmainsecurity.com/KIS-2014-04"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2664",
"datePublished": "2017-10-17T15:00:00",
"dateReserved": "2014-03-26T00:00:00",
"dateUpdated": "2024-08-06T10:21:36.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-5075 (GCVE-0-2015-5075)
Vulnerability from cvelistv5 – Published: 2015-09-29 19:00 – Updated: 2024-08-06 06:32
VLAI?
Summary
Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:32:32.671Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20150925 CVE-2015-5075 - Cross-Site Request Forgery In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/536547/100/0/threaded"
},
{
"name": "20150925 CVE-2015-5075 - Cross-Site Request Forgery In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Sep/93"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5075/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/133718/X2Engine-4.2-Cross-Site-Request-Forgery.html"
},
{
"name": "38321",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/38321/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20150925 CVE-2015-5075 - Cross-Site Request Forgery In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/536547/100/0/threaded"
},
{
"name": "20150925 CVE-2015-5075 - Cross-Site Request Forgery In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Sep/93"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5075/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/133718/X2Engine-4.2-Cross-Site-Request-Forgery.html"
},
{
"name": "38321",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/38321/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5075",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20150925 CVE-2015-5075 - Cross-Site Request Forgery In X2Engine Inc. X2Engine",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/536547/100/0/threaded"
},
{
"name": "20150925 CVE-2015-5075 - Cross-Site Request Forgery In X2Engine Inc. X2Engine",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/Sep/93"
},
{
"name": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5075/",
"refsource": "MISC",
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5075/"
},
{
"name": "http://packetstormsecurity.com/files/133718/X2Engine-4.2-Cross-Site-Request-Forgery.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/133718/X2Engine-4.2-Cross-Site-Request-Forgery.html"
},
{
"name": "38321",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/38321/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5075",
"datePublished": "2015-09-29T19:00:00",
"dateReserved": "2015-06-26T00:00:00",
"dateUpdated": "2024-08-06T06:32:32.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-5074 (GCVE-0-2015-5074)
Vulnerability from cvelistv5 – Published: 2015-09-29 19:00 – Updated: 2024-08-06 06:32
VLAI?
Summary
Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:32:32.619Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20150925 CVE-2015-5074 - Arbitrary File Upload In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/536546/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8#diff-26a90fcab2707d6ef509fccb3588790f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/133717/X2Engine-4.2-Arbitrary-File-Upload.html"
},
{
"name": "20150925 CVE-2015-5074 - Arbitrary File Upload In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Sep/92"
},
{
"name": "38323",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/38323/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20150925 CVE-2015-5074 - Arbitrary File Upload In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/536546/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8#diff-26a90fcab2707d6ef509fccb3588790f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/133717/X2Engine-4.2-Arbitrary-File-Upload.html"
},
{
"name": "20150925 CVE-2015-5074 - Arbitrary File Upload In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Sep/92"
},
{
"name": "38323",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/38323/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5074",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20150925 CVE-2015-5074 - Arbitrary File Upload In X2Engine Inc. X2Engine",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/536546/100/0/threaded"
},
{
"name": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8#diff-26a90fcab2707d6ef509fccb3588790f",
"refsource": "CONFIRM",
"url": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8#diff-26a90fcab2707d6ef509fccb3588790f"
},
{
"name": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/",
"refsource": "MISC",
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/"
},
{
"name": "http://packetstormsecurity.com/files/133717/X2Engine-4.2-Arbitrary-File-Upload.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/133717/X2Engine-4.2-Arbitrary-File-Upload.html"
},
{
"name": "20150925 CVE-2015-5074 - Arbitrary File Upload In X2Engine Inc. X2Engine",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/Sep/92"
},
{
"name": "38323",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/38323/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5074",
"datePublished": "2015-09-29T19:00:00",
"dateReserved": "2015-06-26T00:00:00",
"dateUpdated": "2024-08-06T06:32:32.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-5076 (GCVE-0-2015-5076)
Vulnerability from cvelistv5 – Published: 2015-09-29 19:00 – Updated: 2024-08-06 06:32
VLAI?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) version parameter in protected/views/admin/formEditor.php; the (2) importId parameter in protected/views/admin/rollbackImport.php; the (3) bc, (4) fg, (5) bgc, or (6) font parameter in protected/views/site/listener.php; the (7) Services[*] parameter in protected/components/views/webForm.php; the (8) file parameter in protected/components/TranslationManager.php; the (9) x2_key parameter in protected/tests/webscripts/x2WebTrackingTestPages/customWebLeadCaptureScriptTest.php; the (10) id parameter in protected/modules/contacts/controllers/ContactsController.php; or the (11) lastEventId parameter to index.php/profile/getEvents.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:32:32.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20150925 CVE-2015-5076 - Vulnerability title: Reflective XSS In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/536545/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5076/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/133716/X2Engine-4.2-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8"
},
{
"name": "20150925 CVE-2015-5076 - Vulnerability title: Reflective XSS In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Sep/91"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) version parameter in protected/views/admin/formEditor.php; the (2) importId parameter in protected/views/admin/rollbackImport.php; the (3) bc, (4) fg, (5) bgc, or (6) font parameter in protected/views/site/listener.php; the (7) Services[*] parameter in protected/components/views/webForm.php; the (8) file parameter in protected/components/TranslationManager.php; the (9) x2_key parameter in protected/tests/webscripts/x2WebTrackingTestPages/customWebLeadCaptureScriptTest.php; the (10) id parameter in protected/modules/contacts/controllers/ContactsController.php; or the (11) lastEventId parameter to index.php/profile/getEvents."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20150925 CVE-2015-5076 - Vulnerability title: Reflective XSS In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/536545/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5076/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/133716/X2Engine-4.2-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8"
},
{
"name": "20150925 CVE-2015-5076 - Vulnerability title: Reflective XSS In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Sep/91"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5076",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) version parameter in protected/views/admin/formEditor.php; the (2) importId parameter in protected/views/admin/rollbackImport.php; the (3) bc, (4) fg, (5) bgc, or (6) font parameter in protected/views/site/listener.php; the (7) Services[*] parameter in protected/components/views/webForm.php; the (8) file parameter in protected/components/TranslationManager.php; the (9) x2_key parameter in protected/tests/webscripts/x2WebTrackingTestPages/customWebLeadCaptureScriptTest.php; the (10) id parameter in protected/modules/contacts/controllers/ContactsController.php; or the (11) lastEventId parameter to index.php/profile/getEvents."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20150925 CVE-2015-5076 - Vulnerability title: Reflective XSS In X2Engine Inc. X2Engine",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/536545/100/0/threaded"
},
{
"name": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5076/",
"refsource": "MISC",
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5076/"
},
{
"name": "http://packetstormsecurity.com/files/133716/X2Engine-4.2-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/133716/X2Engine-4.2-Cross-Site-Scripting.html"
},
{
"name": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8",
"refsource": "CONFIRM",
"url": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8"
},
{
"name": "20150925 CVE-2015-5076 - Vulnerability title: Reflective XSS In X2Engine Inc. X2Engine",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/Sep/91"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5076",
"datePublished": "2015-09-29T19:00:00",
"dateReserved": "2015-06-26T00:00:00",
"dateUpdated": "2024-08-06T06:32:32.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-5692 (GCVE-0-2013-5692)
Vulnerability from cvelistv5 – Published: 2013-09-30 20:00 – Updated: 2024-09-16 19:15
VLAI?
Summary
Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php/admin/translationManager.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:22:30.696Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.com/advisory/HTB23172"
},
{
"name": "20130925 Multiple Vulnerabilities in X2CRM",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-09/0117.html"
},
{
"name": "28557",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/28557"
},
{
"name": "97365",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/97365"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php/admin/translationManager."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-09-30T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.com/advisory/HTB23172"
},
{
"name": "20130925 Multiple Vulnerabilities in X2CRM",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-09/0117.html"
},
{
"name": "28557",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/28557"
},
{
"name": "97365",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/97365"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-5692",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php/admin/translationManager."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.htbridge.com/advisory/HTB23172",
"refsource": "MISC",
"url": "https://www.htbridge.com/advisory/HTB23172"
},
{
"name": "20130925 Multiple Vulnerabilities in X2CRM",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2013-09/0117.html"
},
{
"name": "28557",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/28557"
},
{
"name": "97365",
"refsource": "OSVDB",
"url": "http://osvdb.org/97365"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-5692",
"datePublished": "2013-09-30T20:00:00Z",
"dateReserved": "2013-09-04T00:00:00Z",
"dateUpdated": "2024-09-16T19:15:23.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-48120 (GCVE-0-2024-48120)
Vulnerability from nvd – Published: 2024-10-14 00:00 – Updated: 2024-10-15 15:22
VLAI?
Summary
X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting (XSS) in the "Opportunities" module. An attacker can inject malicious JavaScript code into the "Name" field when creating a list.
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:x2engine:x2crm:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "x2crm",
"vendor": "x2engine",
"versions": [
{
"status": "affected",
"version": "8.5"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-48120",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T15:20:59.274535Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T15:22:16.044Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting (XSS) in the \"Opportunities\" module. An attacker can inject malicious JavaScript code into the \"Name\" field when creating a list."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-14T13:44:47.510534",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://okankurtulus.com.tr/2024/09/12/x2crm-v8-5-stored-cross-site-scripting-xss-authenticated/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-48120",
"datePublished": "2024-10-14T00:00:00",
"dateReserved": "2024-10-08T00:00:00",
"dateUpdated": "2024-10-15T15:22:16.044Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33853 (GCVE-0-2021-33853)
Vulnerability from nvd – Published: 2022-03-16 14:03 – Updated: 2024-08-04 00:05
VLAI?
Summary
A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted website. As the vehicle for the attack, the application targets the users and not the application itself. Additionally, the XSS payload is executed when the user attempts to access any page of the CRM.
Severity ?
No CVSS data available.
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:05:51.624Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33853-stored-cross-site-scripting-in-x2crm.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "X2CRM",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user\u2019s browser while the browser is connected to a trusted website. As the vehicle for the attack, the application targets the users and not the application itself. Additionally, the XSS payload is executed when the user attempts to access any page of the CRM."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-16T14:03:37",
"orgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
"shortName": "CSW"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33853-stored-cross-site-scripting-in-x2crm.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "disclose@cybersecurityworks.com",
"ID": "CVE-2021-33853",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "X2CRM",
"version": {
"version_data": [
{
"version_value": "8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user\u2019s browser while the browser is connected to a trusted website. As the vehicle for the attack, the application targets the users and not the application itself. Additionally, the XSS payload is executed when the user attempts to access any page of the CRM."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cybersecurityworks.com/zerodays/cve-2021-33853-stored-cross-site-scripting-in-x2crm.html",
"refsource": "MISC",
"url": "https://cybersecurityworks.com/zerodays/cve-2021-33853-stored-cross-site-scripting-in-x2crm.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ee1bbb37-1770-46bd-bba8-910037954ee0",
"assignerShortName": "CSW",
"cveId": "CVE-2021-33853",
"datePublished": "2022-03-16T14:03:37",
"dateReserved": "2021-06-04T00:00:00",
"dateUpdated": "2024-08-04T00:05:51.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-21088 (GCVE-0-2020-21088)
Vulnerability from nvd – Published: 2021-04-14 13:49 – Updated: 2024-08-04 14:22
VLAI?
Summary
Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "First Name" and "Last Name" fields in "/index.php/contacts/create page"
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:22:25.554Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/X2Engine/X2CRM/issues/161"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/X2Engine/X2CRM/issues/183"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the \"First Name\" and \"Last Name\" fields in \"/index.php/contacts/create page\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-14T13:49:44",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/X2Engine/X2CRM/issues/161"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/X2Engine/X2CRM/issues/183"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-21088",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the \"First Name\" and \"Last Name\" fields in \"/index.php/contacts/create page\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/X2Engine/X2CRM/issues/161",
"refsource": "MISC",
"url": "https://github.com/X2Engine/X2CRM/issues/161"
},
{
"name": "https://github.com/X2Engine/X2CRM/issues/183",
"refsource": "MISC",
"url": "https://github.com/X2Engine/X2CRM/issues/183"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-21088",
"datePublished": "2021-04-14T13:49:44",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:22:25.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-21087 (GCVE-0-2020-21087)
Vulnerability from nvd – Published: 2021-04-14 13:49 – Updated: 2024-08-04 14:22
VLAI?
Summary
Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the "New Name" field of the "Rename a Module" tool.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:22:25.524Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/X2Engine/X2CRM/issues/162"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the \"New Name\" field of the \"Rename a Module\" tool."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-14T13:49:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/X2Engine/X2CRM/issues/162"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-21087",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the \"New Name\" field of the \"Rename a Module\" tool."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/X2Engine/X2CRM/issues/162",
"refsource": "MISC",
"url": "https://github.com/X2Engine/X2CRM/issues/162"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-21087",
"datePublished": "2021-04-14T13:49:30",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:22:25.524Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27288 (GCVE-0-2021-27288)
Vulnerability from nvd – Published: 2021-04-14 13:48 – Updated: 2024-08-03 20:48
VLAI?
Summary
Cross Site Scripting (XSS) in X2Engine X2CRM v7.1 allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "Comment" field in "/profile/activity" page.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:48:16.759Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/X2Engine/X2CRM/issues/183"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) in X2Engine X2CRM v7.1 allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the \"Comment\" field in \"/profile/activity\" page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-14T13:48:25",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/X2Engine/X2CRM/issues/183"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-27288",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS) in X2Engine X2CRM v7.1 allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the \"Comment\" field in \"/profile/activity\" page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/X2Engine/X2CRM/issues/183",
"refsource": "MISC",
"url": "https://github.com/X2Engine/X2CRM/issues/183"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-27288",
"datePublished": "2021-04-14T13:48:25",
"dateReserved": "2021-02-16T00:00:00",
"dateUpdated": "2024-08-03T20:48:16.759Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2664 (GCVE-0-2014-2664)
Vulnerability from nvd – Published: 2017-10-17 15:00 – Updated: 2024-08-06 10:21
VLAI?
Summary
Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:21:36.019Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "x2crm-cve20142664-file-upload(92169)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92169"
},
{
"name": "57315",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57315"
},
{
"name": "66506",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/66506/discuss"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://secuniaresearch.flexerasoftware.com//secunia_research/2014-4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://karmainsecurity.com/KIS-2014-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-03-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-17T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "x2crm-cve20142664-file-upload(92169)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92169"
},
{
"name": "57315",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57315"
},
{
"name": "66506",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/66506/discuss"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://secuniaresearch.flexerasoftware.com//secunia_research/2014-4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://karmainsecurity.com/KIS-2014-04"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2664",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "x2crm-cve20142664-file-upload(92169)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92169"
},
{
"name": "57315",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57315"
},
{
"name": "66506",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/66506/discuss"
},
{
"name": "https://secuniaresearch.flexerasoftware.com//secunia_research/2014-4",
"refsource": "MISC",
"url": "https://secuniaresearch.flexerasoftware.com//secunia_research/2014-4"
},
{
"name": "http://karmainsecurity.com/KIS-2014-04",
"refsource": "MISC",
"url": "http://karmainsecurity.com/KIS-2014-04"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2664",
"datePublished": "2017-10-17T15:00:00",
"dateReserved": "2014-03-26T00:00:00",
"dateUpdated": "2024-08-06T10:21:36.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-5075 (GCVE-0-2015-5075)
Vulnerability from nvd – Published: 2015-09-29 19:00 – Updated: 2024-08-06 06:32
VLAI?
Summary
Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:32:32.671Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20150925 CVE-2015-5075 - Cross-Site Request Forgery In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/536547/100/0/threaded"
},
{
"name": "20150925 CVE-2015-5075 - Cross-Site Request Forgery In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Sep/93"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5075/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/133718/X2Engine-4.2-Cross-Site-Request-Forgery.html"
},
{
"name": "38321",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/38321/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20150925 CVE-2015-5075 - Cross-Site Request Forgery In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/536547/100/0/threaded"
},
{
"name": "20150925 CVE-2015-5075 - Cross-Site Request Forgery In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Sep/93"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5075/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/133718/X2Engine-4.2-Cross-Site-Request-Forgery.html"
},
{
"name": "38321",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/38321/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5075",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20150925 CVE-2015-5075 - Cross-Site Request Forgery In X2Engine Inc. X2Engine",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/536547/100/0/threaded"
},
{
"name": "20150925 CVE-2015-5075 - Cross-Site Request Forgery In X2Engine Inc. X2Engine",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/Sep/93"
},
{
"name": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5075/",
"refsource": "MISC",
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5075/"
},
{
"name": "http://packetstormsecurity.com/files/133718/X2Engine-4.2-Cross-Site-Request-Forgery.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/133718/X2Engine-4.2-Cross-Site-Request-Forgery.html"
},
{
"name": "38321",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/38321/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5075",
"datePublished": "2015-09-29T19:00:00",
"dateReserved": "2015-06-26T00:00:00",
"dateUpdated": "2024-08-06T06:32:32.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-5074 (GCVE-0-2015-5074)
Vulnerability from nvd – Published: 2015-09-29 19:00 – Updated: 2024-08-06 06:32
VLAI?
Summary
Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:32:32.619Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20150925 CVE-2015-5074 - Arbitrary File Upload In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/536546/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8#diff-26a90fcab2707d6ef509fccb3588790f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/133717/X2Engine-4.2-Arbitrary-File-Upload.html"
},
{
"name": "20150925 CVE-2015-5074 - Arbitrary File Upload In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Sep/92"
},
{
"name": "38323",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/38323/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20150925 CVE-2015-5074 - Arbitrary File Upload In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/536546/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8#diff-26a90fcab2707d6ef509fccb3588790f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/133717/X2Engine-4.2-Arbitrary-File-Upload.html"
},
{
"name": "20150925 CVE-2015-5074 - Arbitrary File Upload In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Sep/92"
},
{
"name": "38323",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/38323/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5074",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20150925 CVE-2015-5074 - Arbitrary File Upload In X2Engine Inc. X2Engine",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/536546/100/0/threaded"
},
{
"name": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8#diff-26a90fcab2707d6ef509fccb3588790f",
"refsource": "CONFIRM",
"url": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8#diff-26a90fcab2707d6ef509fccb3588790f"
},
{
"name": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/",
"refsource": "MISC",
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/"
},
{
"name": "http://packetstormsecurity.com/files/133717/X2Engine-4.2-Arbitrary-File-Upload.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/133717/X2Engine-4.2-Arbitrary-File-Upload.html"
},
{
"name": "20150925 CVE-2015-5074 - Arbitrary File Upload In X2Engine Inc. X2Engine",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/Sep/92"
},
{
"name": "38323",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/38323/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5074",
"datePublished": "2015-09-29T19:00:00",
"dateReserved": "2015-06-26T00:00:00",
"dateUpdated": "2024-08-06T06:32:32.619Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-5076 (GCVE-0-2015-5076)
Vulnerability from nvd – Published: 2015-09-29 19:00 – Updated: 2024-08-06 06:32
VLAI?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) version parameter in protected/views/admin/formEditor.php; the (2) importId parameter in protected/views/admin/rollbackImport.php; the (3) bc, (4) fg, (5) bgc, or (6) font parameter in protected/views/site/listener.php; the (7) Services[*] parameter in protected/components/views/webForm.php; the (8) file parameter in protected/components/TranslationManager.php; the (9) x2_key parameter in protected/tests/webscripts/x2WebTrackingTestPages/customWebLeadCaptureScriptTest.php; the (10) id parameter in protected/modules/contacts/controllers/ContactsController.php; or the (11) lastEventId parameter to index.php/profile/getEvents.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:32:32.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20150925 CVE-2015-5076 - Vulnerability title: Reflective XSS In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/536545/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5076/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/133716/X2Engine-4.2-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8"
},
{
"name": "20150925 CVE-2015-5076 - Vulnerability title: Reflective XSS In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Sep/91"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) version parameter in protected/views/admin/formEditor.php; the (2) importId parameter in protected/views/admin/rollbackImport.php; the (3) bc, (4) fg, (5) bgc, or (6) font parameter in protected/views/site/listener.php; the (7) Services[*] parameter in protected/components/views/webForm.php; the (8) file parameter in protected/components/TranslationManager.php; the (9) x2_key parameter in protected/tests/webscripts/x2WebTrackingTestPages/customWebLeadCaptureScriptTest.php; the (10) id parameter in protected/modules/contacts/controllers/ContactsController.php; or the (11) lastEventId parameter to index.php/profile/getEvents."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20150925 CVE-2015-5076 - Vulnerability title: Reflective XSS In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/536545/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5076/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/133716/X2Engine-4.2-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8"
},
{
"name": "20150925 CVE-2015-5076 - Vulnerability title: Reflective XSS In X2Engine Inc. X2Engine",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Sep/91"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5076",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) version parameter in protected/views/admin/formEditor.php; the (2) importId parameter in protected/views/admin/rollbackImport.php; the (3) bc, (4) fg, (5) bgc, or (6) font parameter in protected/views/site/listener.php; the (7) Services[*] parameter in protected/components/views/webForm.php; the (8) file parameter in protected/components/TranslationManager.php; the (9) x2_key parameter in protected/tests/webscripts/x2WebTrackingTestPages/customWebLeadCaptureScriptTest.php; the (10) id parameter in protected/modules/contacts/controllers/ContactsController.php; or the (11) lastEventId parameter to index.php/profile/getEvents."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20150925 CVE-2015-5076 - Vulnerability title: Reflective XSS In X2Engine Inc. X2Engine",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/536545/100/0/threaded"
},
{
"name": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5076/",
"refsource": "MISC",
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5076/"
},
{
"name": "http://packetstormsecurity.com/files/133716/X2Engine-4.2-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/133716/X2Engine-4.2-Cross-Site-Scripting.html"
},
{
"name": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8",
"refsource": "CONFIRM",
"url": "https://github.com/X2Engine/X2CRM/commit/10b72bfe7a1b9694f19a0adef72d85a754d4d3f8"
},
{
"name": "20150925 CVE-2015-5076 - Vulnerability title: Reflective XSS In X2Engine Inc. X2Engine",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/Sep/91"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5076",
"datePublished": "2015-09-29T19:00:00",
"dateReserved": "2015-06-26T00:00:00",
"dateUpdated": "2024-08-06T06:32:32.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}