MidnightBSD

Advisories for x2engine

CVE-2013-5692 HIGH

Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php/admin/translationManager.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
x2engine x2crm 2.7.2
x2engine x2crm 1.3
x2engine x2crm 3.1.2
x2engine x2crm *
x2engine x2crm 3.0.1
x2engine x2crm 2.7.1
x2engine x2crm 2.9
x2engine x2crm 1.0.1
x2engine x2crm 3.3
x2engine x2crm 1.1.0
x2engine x2crm 3.3.2
x2engine x2crm 1.2.2
x2engine x2crm 3.4
x2engine x2crm 1.2.0
x2engine x2crm 2.9.1
x2engine x2crm 3.0.2
x2engine x2crm 2.5.2
x2engine x2crm 2.8
x2engine x2crm 2.2
x2engine x2crm 1.2.1
x2engine x2crm 2.5
x2engine x2crm 1.0
x2engine x2crm 3.2
x2engine x2crm 3.1
x2engine x2crm 3.0
x2engine x2crm 2.7
x2engine x2crm 2.8.1
x2engine x2crm 3.1.1
x2engine x2crm 3.3.1
x2engine x2crm 1.3.1
x2engine x2crm 2.2.1
CVE-2013-5693 MEDIUM

Cross-site scripting (XSS) vulnerability in X2Engine X2CRM before 3.5 allows remote attackers to inject arbitrary web script or HTML via the model parameter to index.php/admin/editor.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
x2engine x2crm 2.7.2
x2engine x2crm 1.3
x2engine x2crm 3.1.2
x2engine x2crm *
x2engine x2crm 3.0.1
x2engine x2crm 2.7.1
x2engine x2crm 2.9
x2engine x2crm 1.0.1
x2engine x2crm 3.3
x2engine x2crm 1.1.0
x2engine x2crm 3.3.2
x2engine x2crm 1.2.2
x2engine x2crm 3.4
x2engine x2crm 1.2.0
x2engine x2crm 2.9.1
x2engine x2crm 3.0.2
x2engine x2crm 2.5.2
x2engine x2crm 2.8
x2engine x2crm 2.2
x2engine x2crm 1.2.1
x2engine x2crm 2.5
x2engine x2crm 1.0
x2engine x2crm 3.2
x2engine x2crm 3.1
x2engine x2crm 3.0
x2engine x2crm 2.7
x2engine x2crm 2.8.1
x2engine x2crm 3.1.1
x2engine x2crm 3.3.1
x2engine x2crm 1.3.1
x2engine x2crm 2.2.1
CVE-2014-2664 MEDIUM

Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
x2engine x2crm *
CVE-2014-5297 HIGH

The actionSendErrorReport method in protected/controllers/SiteController.php in X2Engine 2.8 through 4.1.7 allows remote attackers to conduct PHP object injection and Server-Side Request Forgery (SSRF) attacks via crafted serialized data in the report parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
x2engine x2engine 2.8
x2engine x2engine 4.1.7
CVE-2014-5298 MEDIUM

FileUploadsFilter.php in X2Engine 4.1.7 and earlier, when running on case-insensitive file systems, allows remote attackers to bypass the upload blacklist and conduct unrestricted file upload attacks by uploading a file with an executable extension that contains uppercase letters, as demonstrated using a PHP program.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
x2engine x2engine *
CVE-2015-5074 HIGH

Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
x2engine x2crm *
CVE-2015-5075 MEDIUM

Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
x2engine x2crm *
CVE-2015-5076 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) version parameter in protected/views/admin/formEditor.php; the (2) importId parameter in protected/views/admin/rollbackImport.php; the (3) bc, (4) fg, (5) bgc, or (6) font parameter in protected/views/site/listener.php; the (7) Services[*] parameter in protected/components/views/webForm.php; the (8) file parameter in protected/components/TranslationManager.php; the (9) x2_key parameter in protected/tests/webscripts/x2WebTrackingTestPages/customWebLeadCaptureScriptTest.php; the (10) id parameter in protected/modules/contacts/controllers/ContactsController.php; or the (11) lastEventId parameter to index.php/profile/getEvents.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
x2engine x2crm *
CVE-2020-21087 MEDIUM

Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the "New Name" field of the "Rename a Module" tool.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
x2engine x2crm *
CVE-2020-21088 LOW

Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "First Name" and "Last Name" fields in "/index.php/contacts/create page"

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
x2engine x2crm *
CVE-2021-27288 MEDIUM

Cross Site Scripting (XSS) in X2Engine X2CRM v7.1 allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "Comment" field in "/profile/activity" page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
x2engine x2crm 7.1
CVE-2021-33853 LOW

A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted website. As the vehicle for the attack, the application targets the users and not the application itself. Additionally, the XSS payload is executed when the user attempts to access any page of the CRM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
x2engine x2crm 8.0