Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): cpe:2.3:a:x2engine:x2crm:1.2.0:*:*:*:*:*:*:*
- CPE Name Search: true
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2020-21088 |
Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "First Name" and "Last Name" fields in "/index.php/contacts/create page" Published: April 14, 2021; 10:15:13 AM -0400 |
V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
CVE-2020-21087 |
Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the "New Name" field of the "Rename a Module" tool. Published: April 14, 2021; 10:15:13 AM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2014-2664 |
Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. Published: October 17, 2017; 11:29:00 AM -0400 |
V3.0: 8.8 HIGH V2.0: 6.5 MEDIUM |
CVE-2015-5076 |
Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) version parameter in protected/views/admin/formEditor.php; the (2) importId parameter in protected/views/admin/rollbackImport.php; the (3) bc, (4) fg, (5) bgc, or (6) font parameter in protected/views/site/listener.php; the (7) Services[*] parameter in protected/components/views/webForm.php; the (8) file parameter in protected/components/TranslationManager.php; the (9) x2_key parameter in protected/tests/webscripts/x2WebTrackingTestPages/customWebLeadCaptureScriptTest.php; the (10) id parameter in protected/modules/contacts/controllers/ContactsController.php; or the (11) lastEventId parameter to index.php/profile/getEvents. Published: September 29, 2015; 3:59:04 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2015-5075 |
Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create. Published: September 29, 2015; 3:59:03 PM -0400 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2015-5074 |
Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension. Published: September 29, 2015; 3:59:02 PM -0400 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2013-5693 |
Cross-site scripting (XSS) vulnerability in X2Engine X2CRM before 3.5 allows remote attackers to inject arbitrary web script or HTML via the model parameter to index.php/admin/editor. Published: September 30, 2013; 6:55:05 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-5692 |
Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php/admin/translationManager. Published: September 30, 2013; 6:55:04 PM -0400 |
V3.x:(not available) V2.0: 8.5 HIGH |