88 matches found
CVE-2015-5076
Multiple cross-site scripting XSS vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the 1 version parameter in protected/views/admin/formEditor.php; the 2 importId parameter in protected/views/admin/rollbackImport.php; the 3 bc, 4 fg,...
CVE-2015-5075
Cross-site request forgery CSRF vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create...
CVE-2015-5074
Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension...
CVE-2015-5074
Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension...
Input validation
Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension...
CVE-2015-5075
Cross-site request forgery CSRF vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create...
Cross site scripting
Multiple cross-site scripting XSS vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the 1 version parameter in protected/views/admin/formEditor.php; the 2 importId parameter in protected/views/admin/rollbackImport.php; the 3 bc, 4 fg,...
Cross site request forgery (csrf)
Cross-site request forgery CSRF vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create...
CVE-2015-5074
CVE-2015-5074 affects X2Engine X2CRM 4.2. An incomplete blacklist in FileUploadsFilter.php allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension. This enables arbitrary file uploads and potential code execution on vulnerable installations. The i...
CVE-2015-5075
Cross-site request forgery CSRF vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create...
CVE-2015-5076
Multiple cross-site scripting XSS vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the 1 version parameter in protected/views/admin/formEditor.php; the 2 importId parameter in protected/views/admin/rollbackImport.php; the 3 bc, 4 fg,...
CVE-2015-5076
CVE-2015-5076 affects X2Engine X2CRM. The vulnerability is a reflective XSS in X2Engine/X2CRM where user-supplied data is echoed, allowing arbitrary script execution. Affected versions are listed as before 5.0.9 (per CNVD/CVE records) and, in other sources, affected 4.2 with a fix at 5.2. Exploit...
CVE-2015-5075
CVE-2015-5075 affects X2Engine X2CRM (affected: 4.2; fixed: 5.2). Root cause: missing CSRF protections in index.php/users/create, enabling remote attackers to create an administrator account and hijack admin authentication. Exploitation details and advisories are documented in Portcullis/Exploit-...
X2Engine 4.2 Cross Site Request Forgery
Vulnerability title: Cross-Site Request Forgery In X2Engine Inc. X2Engine CVE: CVE-2015-5075 Vendor: X2Engine Inc. Product: X2Engine Affected version: 4.2 Fixed version: 5.2 Reported by: Simone Quatrini Details: It was discovered that no protection against Cross-site Request Forgery attacks was...
X2Engine 4.2 Cross Site Scripting
Vulnerability title: Reflective XSS In X2Engine Inc. X2Engine CVE: CVE-2015-5076 Vendor: X2Engine Inc. Product: X2Engine Affected version: 4.2 Fixed version: 5.2 Reported by: Simone Quatrini Details: It was discovered that the web application was vulnerable to reflective Cross-Site Scripting wher...
X2Engine 4.2 Arbitrary File Upload
Vulnerability title: Arbitrary File Upload In X2Engine Inc. X2Engine CVE: CVE-2015-5074 Vendor: X2Engine Inc. Product: X2Engine Affected version: 4.2 Fixed version: 5.2 Reported by: Simone Quatrini Details: It was discovered that authenticated users were able to upload files of any type providing...
X2Engine 4.2 - Arbitrary File Upload
X2Engine 4.2 - Arbitrary File Upload Source: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/ Details: It was discovered that authenticated users were able to upload files of any type providing that the file did not have an extension that was...
X2Engine 4.2 - Arbitrary File Upload
Source: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/ Details: It was discovered that authenticated users were able to upload files of any type providing that the file did not have an extension that was listed in the following blacklist:...
X2Engine 4.2 - Cross-Site Request Forgery
X2Engine 4.2 - Cross-Site Request Forgery Source: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5075/ Details: It was discovered that no protection against Cross-site Request Forgery attacks was implemented, resulting in an attacker being able to...
X2Engine 5.0.4 Platinum Edition Cross Site Request Forgery
Affected software: x2 engine Type of vulnerability: csrf URL: http://demo.x2engine.com Discovered by: Provensec Website: http://www.provensec.com version :X2Engine 5.0.4 Platinum Edition Proof of concept x2 engine was not using any csrf token which causes a csrf issue which an attacker can use to...