cbcvebase.

X2Engine X2Crm vulnerabilities

13 known vulnerabilities affecting x2engine/x2crm.

Total CVEs
13
CISA KEV
0
Public exploits
7
Exploited in wild
0
Severity breakdown
HIGH3MEDIUM10

Vulnerabilities

Page 1 of 1
CVE-2015-5074P3HIGHCVSS 7.5PoC≤ 5.0.82015-09-29
CVE-2015-5074 [HIGH] CWE-20 CVE-2015-5074: Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/Fi Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension.
nvd
CVE-2013-5692P3HIGHCVSS 8.5PoC≤ 3.4.1v1.0+29 more2013-09-30
CVE-2013-5692 [HIGH] CWE-22 CVE-2013-5692: Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows remote authenticated administr Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php/admin/translationManager.
nvd
CVE-2014-2664P2HIGHCVSS 8.8≤ 3.7.52017-10-17
CVE-2014-2664 [HIGH] CWE-434 CVE-2014-2664: Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protect Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.
nvd
CVE-2015-5075P3MEDIUMCVSS 6.8PoC≤ 5.0.92015-09-29
CVE-2015-5075 [MEDIUM] CWE-352 CVE-2015-5075: Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create.
nvd
CVE-2022-48178P4MEDIUMCVSS 5.4PoCv6.6v6.92023-04-15
CVE-2022-48178 [MEDIUM] CWE-79 CVE-2022-48178: X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a stored cross-site scripting (XSS X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Create Action function, aka an index.php/actions/update URI.
nvd
CVE-2024-48120P4MEDIUMCVSS 5.4PoCv8.52024-10-14
CVE-2024-48120 [MEDIUM] CWE-79 CVE-2024-48120: X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting (XSS) in the "Opportunities" module. An at X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting (XSS) in the "Opportunities" module. An attacker can inject malicious JavaScript code into the "Name" field when creating a list.
nvd
CVE-2022-48177P4MEDIUMCVSS 5.4PoCv6.6v6.92023-04-15
CVE-2022-48177 [MEDIUM] CWE-79 CVE-2022-48177: X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a reflected cross-site scripting ( X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the adin/importModels Import Records Model field (model parameter). This vulnerability allows attackers to create malicious JavaScript that will be executed by the victim user's browser.
nvd
CVE-2013-5693P4MEDIUMCVSS 4.3PoC≤ 3.4.1v1.0+29 more2013-09-30
CVE-2013-5693 [MEDIUM] CWE-79 CVE-2013-5693: Cross-site scripting (XSS) vulnerability in X2Engine X2CRM before 3.5 allows remote attackers to inj Cross-site scripting (XSS) vulnerability in X2Engine X2CRM before 3.5 allows remote attackers to inject arbitrary web script or HTML via the model parameter to index.php/admin/editor.
nvd
CVE-2020-21087P4MEDIUMCVSS 6.1≤ 6.92021-04-14
CVE-2020-21087 [MEDIUM] CWE-79 CVE-2020-21087: Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbit Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the "New Name" field of the "Rename a Module" tool.
nvd
CVE-2021-33853P4MEDIUMCVSS 5.4v8.0v82022-03-16
CVE-2021-33853 [MEDIUM] CWE-79 CVE-2021-33853: A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted website. As the vehicle for the attack, the application targets the users and not the application itself. Additionally, the XSS payload is executed when the user attempts to access any page of the CRM.
nvd
CVE-2021-27288P4MEDIUMCVSS 6.1v7.12021-04-14
CVE-2021-27288 [MEDIUM] CWE-79 CVE-2021-27288: Cross Site Scripting (XSS) in X2Engine X2CRM v7.1 allows remote attackers to obtain sensitive inform Cross Site Scripting (XSS) in X2Engine X2CRM v7.1 allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "Comment" field in "/profile/activity" page.
nvd
CVE-2015-5076P4MEDIUMCVSS 4.3≤ 5.0.82015-09-29
CVE-2015-5076 [MEDIUM] CWE-79 CVE-2015-5076: Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote atta Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) version parameter in protected/views/admin/formEditor.php; the (2) importId parameter in protected/views/admin/rollbackImport.php; the (3) bc, (4) fg, (5) bgc, or (6) font parameter in protected/vi
nvd
CVE-2020-21088P4MEDIUMCVSS 4.8≤ 7.12021-04-14
CVE-2020-21088 [MEDIUM] CWE-79 CVE-2020-21088: Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensit Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "First Name" and "Last Name" fields in "/index.php/contacts/create page"
nvd
X2Engine X2Crm vulnerabilities | cvebase