X2crm Security Vulnerabilities and Issues — X2crm CVE List

Lucene search

X2engineX2crm

11 matches found

CVE•added 2022/03/16 3:15 p.m.•93 views

CVE-2021-33853

A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted website. As the vehicle for the attack, the application targets the users and not the application itself. Additionally, the XSS payload is executed when t...

5.4CVSS5.3AI score0.00195EPSS

CVE•added 2013/09/30 10:55 p.m.•60 views

CVE-2013-5693

Cross-site scripting (XSS) vulnerability in X2Engine X2CRM before 3.5 allows remote attackers to inject arbitrary web script or HTML via the model parameter to index.php/admin/editor.

4.3CVSS5.6AI score0.00432EPSS

CVE•added 2013/09/30 10:55 p.m.•56 views

CVE-2013-5692

Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php/admin/translationManager.

8.5CVSS6.7AI score0.09328EPSS

CVE•added 2015/09/29 7:59 p.m.•49 views

CVE-2015-5074

Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension.

7.5CVSS7.2AI score0.12896EPSS

CVE•added 2015/09/29 7:59 p.m.•48 views

CVE-2015-5075

Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create.

6.8CVSS7.1AI score0.00966EPSS

CVE•added 2024/10/14 2:15 p.m.•40 views

CVE-2024-48120

X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting (XSS) in the "Opportunities" module. An attacker can inject malicious JavaScript code into the "Name" field when creating a list.

6.5CVSS5.9AI score0.00877EPSS

CVE•added 2015/09/29 7:59 p.m.•39 views

CVE-2015-5076

Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) version parameter in protected/views/admin/formEditor.php; the (2) importId parameter in protected/views/admin/rollbackImport.php; the (3) bc,...

4.3CVSS5.8AI score0.00305EPSS

CVE•added 2017/10/17 3:29 p.m.•37 views

CVE-2014-2664

Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct re...

8.8CVSS9AI score0.06855EPSS

CVE•added 2021/04/14 2:15 p.m.•34 views

CVE-2021-27288

Cross Site Scripting (XSS) in X2Engine X2CRM v7.1 allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "Comment" field in "/profile/activity" page.

6.1CVSS5.9AI score0.00205EPSS

CVE•added 2021/04/14 2:15 p.m.•33 views

CVE-2020-21087

Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the "New Name" field of the "Rename a Module" tool.

6.1CVSS6.2AI score0.0051EPSS

CVE•added 2021/04/14 2:15 p.m.•28 views

CVE-2020-21088

Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "First Name" and "Last Name" fields in "/index.php/contacts/create page"

4.8CVSS4.9AI score0.00194EPSS