X2engine

X2crm

11 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.4

CVE-2024-48120

Exploit
  • EPSS 0.93%
  • Published 14.10.2024 14:15:11
  • Last modified 29.10.2024 20:57:53

X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting (XSS) in the "Opportunities" module. An attacker can inject malicious JavaScript code into the "Name" field when creating a list.

5.4

CVE-2021-33853

Exploit
  • EPSS 0.21%
  • Published 16.03.2022 15:15:10
  • Last modified 21.11.2024 06:09:42

A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted website. As the vehicle for the attack, the application targets the users and not the application itself....

6.1

CVE-2020-21087

Exploit
  • EPSS 0.51%
  • Published 14.04.2021 14:15:13
  • Last modified 21.11.2024 05:12:25

Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the "New Name" field of the "Rename a Module" tool.

4.8

CVE-2020-21088

Exploit
  • EPSS 0.19%
  • Published 14.04.2021 14:15:13
  • Last modified 21.11.2024 05:12:25

Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "First Name" and "Last Name" fields in "/index.php/contacts/create page"

6.1

CVE-2021-27288

Exploit
  • EPSS 0.21%
  • Published 14.04.2021 14:15:13
  • Last modified 21.11.2024 05:57:45

Cross Site Scripting (XSS) in X2Engine X2CRM v7.1 allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "Comment" field in "/profile/activity" page.

8.8

CVE-2014-2664

  • EPSS 6.86%
  • Published 17.10.2017 15:29:00
  • Last modified 20.04.2025 01:37:25

Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an execut...

4.3

CVE-2015-5076

Exploit
  • EPSS 0.31%
  • Published 29.09.2015 19:59:04
  • Last modified 12.04.2025 10:46:40

Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) version parameter in protected/views/admin/formEditor.php; the (2) importId parameter in prot...

6.8

CVE-2015-5075

Exploit
  • EPSS 0.97%
  • Published 29.09.2015 19:59:03
  • Last modified 12.04.2025 10:46:40

Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create.

7.5

CVE-2015-5074

Exploit
  • EPSS 12.9%
  • Published 29.09.2015 19:59:02
  • Last modified 12.04.2025 10:46:40

Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht ext...

4.3

CVE-2013-5693

Exploit
  • EPSS 0.43%
  • Published 30.09.2013 22:55:05
  • Last modified 11.04.2025 00:51:21

Cross-site scripting (XSS) vulnerability in X2Engine X2CRM before 3.5 allows remote attackers to inject arbitrary web script or HTML via the model parameter to index.php/admin/editor.