彙總 x2engine 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
歷史漏洞主要涉及 跨站腳本與CSRF 等問題,部分漏洞可能導致 工作階段劫持,並影響 生產負載與軟體部署 相關場景。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2024-48120 | X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting (XSS) in the "Opportunities" module. An attacker can inject malicious JavaScript code into the "Name" field when creating a list. | [email protected] | 5.4 | 2.56% | 2024-10-14 | 2024-10-29 |
| CVE-2022-48178 | X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Create Action function, aka an index.php/actions/update URI. | [email protected] | 5.4 | 1.92% | 2023-04-15 | 2026-01-30 |
| CVE-2022-48177 | X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the adin/importModels Import Records Model field (model parameter). This vulnerability allows attackers to create malicious JavaScript that will be executed by the victim user's browser. | [email protected] | 5.4 | 2.52% | 2023-04-15 | 2026-01-30 |
| CVE-2021-33853 | A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted website. As the vehicle for the attack, the application targets the users and not the application itself. Additionally, the XSS payload is executed when the user attempts to access any page of the CRM. | [email protected] | 5.4 | 0.19% | 2022-03-16 | 2024-11-21 |
| CVE-2021-27288 | Cross Site Scripting (XSS) in X2Engine X2CRM v7.1 allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "Comment" field in "/profile/activity" page. | [email protected] | 6.1 | 0.38% | 2021-04-14 | 2024-11-21 |
| CVE-2020-21088 | Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "First Name" and "Last Name" fields in "/index.php/contacts/create page" | [email protected] | 4.8 | 0.26% | 2021-04-14 | 2024-11-21 |
| CVE-2020-21087 | Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the "New Name" field of the "Rename a Module" tool. | [email protected] | 6.1 | 0.51% | 2021-04-14 | 2024-11-21 |
| CVE-2014-2664 | Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. | [email protected] | 8.8 | 6.86% | 2017-10-17 | 2026-05-13 |
| CVE-2015-5076 | Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) version parameter in protected/views/admin/formEditor.php; the (2) importId parameter in protected/views/admin/rollbackImport.php; the (3) bc, (4) fg, (5) bgc, or (6) font parameter in protected/views/site/listener.php; the (7) Services[*] parameter in protected/components/views/webForm.php; the (8) file parameter in protected/components/Tra | [email protected] | 4.3 | 0.30% | 2015-09-29 | 2026-05-06 |
| CVE-2015-5075 | Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create. | [email protected] | 6.8 | 0.97% | 2015-09-29 | 2026-05-06 |
| CVE-2015-5074 | Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension. | [email protected] | 7.5 | 11.20% | 2015-09-29 | 2026-05-06 |
| CVE-2014-5298 | FileUploadsFilter.php in X2Engine 4.1.7 and earlier, when running on case-insensitive file systems, allows remote attackers to bypass the upload blacklist and conduct unrestricted file upload attacks by uploading a file with an executable extension that contains uppercase letters, as demonstrated using a PHP program. | [email protected] | 5.0 | 1.23% | 2014-10-10 | 2026-05-06 |
| CVE-2014-5297 | The actionSendErrorReport method in protected/controllers/SiteController.php in X2Engine 2.8 through 4.1.7 allows remote attackers to conduct PHP object injection and Server-Side Request Forgery (SSRF) attacks via crafted serialized data in the report parameter. | [email protected] | 7.5 | 0.65% | 2014-10-10 | 2026-05-06 |
| CVE-2013-5693 | Cross-site scripting (XSS) vulnerability in X2Engine X2CRM before 3.5 allows remote attackers to inject arbitrary web script or HTML via the model parameter to index.php/admin/editor. | [email protected] | 4.3 | 0.43% | 2013-09-30 | 2026-04-29 |
| CVE-2013-5692 | Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php/admin/translationManager. | [email protected] | 8.5 | 9.33% | 2013-09-30 | 2026-04-29 |