Published: 30/09/2013 Updated: 01/10/2013

CVSS v2 Base Score: 8.5 | Impact Score: 10 | Exploitability Score: 6.8

VMScore: 855

Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C

Directory traversal vulnerability in X2Engine X2CRM prior to 3.5 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php/admin/translationManager.

Vulnerable Product	Search on Vulmon	Subscribe to Product
x2engine x2crm 3.0.1
x2engine x2crm 3.0
x2engine x2crm 2.9.1
x2engine x2crm 2.9
x2engine x2crm 1.2.1
x2engine x2crm 1.2.0
x2engine x2crm 1.1.0
x2engine x2crm 1.0.1
x2engine x2crm 1.0
x2engine x2crm 3.4
x2engine x2crm 3.3.2
x2engine x2crm 3.3.1
x2engine x2crm
x2engine x2crm 3.2
x2engine x2crm 3.1.1
x2engine x2crm 3.0.2
x2engine x2crm 2.8.1
x2engine x2crm 2.7.2
x2engine x2crm 1.3.1
x2engine x2crm 1.2.2
x2engine x2crm 3.3
x2engine x2crm 2.7
x2engine x2crm 2.5.2
x2engine x2crm 2.5
x2engine x2crm 2.2.1
x2engine x2crm 3.1.2
x2engine x2crm 3.1
x2engine x2crm 2.8
x2engine x2crm 2.7.1
x2engine x2crm 2.2
x2engine x2crm 1.3

Advisory ID: HTB23172 Product: X2CRM Vendor: X2Engine Inc Vulnerable Version(s): 341 and probably prior Tested Version: 341 Advisory Published: September 4, 2013 Vendor Notification: September 4, 2013 Vendor Patch: September 10, 2013 Public Disclosure: September 25, 2013 Vulnerability Type: PHP File Inclusion [CWE-98], Cross-Site Scripting [CW ...

X2CRM version 341 suffers from cross site scripting and local file inclusion vulnerabilities ...

CWE-22 http://archives.neohapsis.com/archives/bugtraq/2013-09/0117.html https://www.htbridge.com/advisory/HTB23172 http://www.exploit-db.com/exploits/28557 http://osvdb.org/97365 https://nvd.nist.gov https://www.exploit-db.com/exploits/28557/

CVE-2013-5692

Vulnerability Summary

Exploits

References

Vulmon Search

About

Products

Connect