13 matches found
CVE-2021-33853
CVE-2021-33853 affects X2CRM 8.0 from X2Engine USA, Inc. The Red Hat/ CNVD/ CNNVD and CVE records describe a cross-site scripting (XSS) vulnerability arising from insufficient input validation/filtering and output encoding, allowing arbitrary JavaScript to run in a user’s browser when the user na...
CVE-2013-5693
CVE-2013-5693 affects X2Engine X2CRM
CVE-2013-5692
CVE-2013-5692 affects X2CRM/X2Engine before 3.5. A PHP file inclusion flaw arises from insufficient sanitization of the file parameter in /index.php/admin/translationManager, allowing a remote authenticated administrator to traverse directories and include/execute local files. Public details conf...
CVE-2015-5075
CVE-2015-5075 affects X2Engine X2CRM (affected: 4.2; fixed: 5.2). Root cause: missing CSRF protections in index.php/users/create, enabling remote attackers to create an administrator account and hijack admin authentication. Exploitation details and advisories are documented in Portcullis/Exploit-...
CVE-2015-5074
CVE-2015-5074 affects X2Engine X2CRM 4.2. An incomplete blacklist in FileUploadsFilter.php allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension. This enables arbitrary file uploads and potential code execution on vulnerable installations. The i...
CVE-2024-48120
X2CRM v8.5 is affected by a stored XSS in the Opportunities module. The vulnerability allows an authenticated attacker to inject JavaScript via the Name field when creating a list, with the payload stored and later triggered. Evidence consistently references a stored XSS path in the Opportunities...
CVE-2014-2664
The CVE affects X2Engine X2CRM before 4.0. Affected component: ProfileController::actionUploadPhoto in protected/controllers/ProfileController.php. Root cause: unrestricted file upload allows uploading a file with an executable extension, enabling remote code execution when the file is accessed d...
CVE-2015-5076
CVE-2015-5076 affects X2Engine X2CRM. The vulnerability is a reflective XSS in X2Engine/X2CRM where user-supplied data is echoed, allowing arbitrary script execution. Affected versions are listed as before 5.0.9 (per CNVD/CVE records) and, in other sources, affected 4.2 with a fix at 5.2. Exploit...
CVE-2022-48177
CVE-2022-48177 affects X2CRM Open Source Sales CRM versions 6.6–6.9. A reflected Cross-Site Scripting (XSS) vulnerability exists in the adin/importModels Import Records Model field, via the model parameter. Exploitation can execute malicious JavaScript in a victim user’s browser, with some source...
CVE-2021-27288
CVE-2021-27288 affects X2Engine X2CRM v7.1, with a Cross-Site Scripting (XSS) vulnerability in the Comment field on the /profile/activity page. The root cause is improper handling/sanitization of input leading to script/html injection. Impact stated: remote attackers can obtain sensitive informat...
CVE-2022-48178
CVE-2022-48178 summary: X2CRM Open Source Sales CRM versions 6.6–6.9 contain a stored XSS vulnerability in the Create Action function, triggered via index.php/actions/update. Multiple sources (Exploit-DB, PacketStorm, CNNVD, Red Hat, OSV, CVE lists) confirm the flaw and that exploitation can be a...
CVE-2020-21087
X2Engine X2CRM v6.9 and earlier is affected by an XSS vulnerability in the Rename a Module tool, where entering arbitrary web script or HTML into the New Name field can be reflected to the user and potentially lead to code execution in the context of the victim's browser. The issue is described a...
CVE-2020-21088
X2engine/X2CRM 7.1 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that allows remote attackers to obtain sensitive information by injecting arbitrary script/HTML through the First Name and Last Name fields on the /index.php/contacts/create page. Root cause is untrusted inp...