Release date:
Updated on:
Affected Systems:
X2engine X2CRM 3.4.1
Description:
--------------------------------------------------------------------------------
Bugtraq id: 62634
CVE (CAN) ID: CVE-2013-5693
X2CRM is an open-source sales, marketing automation and service application.
X2CRM 3.4.1 is not properly filtered and passed to "/index. php/admin/editor "URL's" model "http get parameter value. Remote attackers can trick the Administrator into opening a specially crafted link, attackers can exploit this vulnerability to execute arbitrary HTML and script code in the context of the affected site browser.
<* Source: High-Tech Bridge Security Research Lab
Link: http://www.exploit-db.com/exploits/28557/
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Http://www.example.com/index.php/admin/editor? Model = % 3C/script % 3E % 3 Cscript % 3 Ealert % 28document. cookie % 29; % 3C/s identifier % 3E
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
X2engine
--------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.x2engine.com/
Http://x2community.com/index.php? /Topic/1005-x2crm-35-released/