Multiple Vulnerabilities in X2CRM
|Vulnerable Versions:||3.4.1 and probably prior|
|Advisory Publication:||September 4, 2013 [without technical details]|
|Vendor Notification:||September 4, 2013|
|Vendor Fix:||September 10, 2013|
|Public Disclosure:||September 25, 2013|
|Latest Update:||September 11, 2013|
|Vulnerability Type:||PHP File Inclusion [CWE-98]|
Cross-Site Scripting [CWE-79]
|CVSSv2 Base Scores:||7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)|
|Solution Status:||Fixed by Vendor|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in X2CRM, which can be exploited to include arbitrary local files and execute arbitrary PHP code, as well as to perform Cross-Site Sripting (XSS) attacks against users of vulnerable application.
|Update to X2CRM 3.5|
| High-Tech Bridge Advisory HTB23172 - https://www.htbridge.com/advisory/HTB23172 - Multiple vulnerabilities in X2CRM.|
 X2CRM - http://www.x2engine.com - X2CRM is an open source based Sales, Marketing Automation and Service application designed exclusively for companies that require a tightly focused customer information system.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
 ImmuniWeb® - a PCI compliant web application penetration test combined with managed vulnerability scan. Configure, schedule, and manage online 24/7.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.