Vendor: X2Engine Inc.
Vulnerable Versions: 3.4.1 and probably prior
Tested Version: 3.4.1
Advisory Published: September 4, 2013
Vendor Notification: September 4, 2013
Vendor Fix: September 10, 2013
Public Disclosure: September 25, 2013
Vulnerability Type: PHP File Inclusion [CWE-98], Cross-Site Scripting [CWE-79]
CVE References: CVE-2013-5692, CVE-2013-5693
Risk Level: High
CVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in X2CRM, which can be exploited to include arbitrary local files and execute arbitrary PHP code, as well as to perform Cross-Site Sripting (XSS) attacks against users of vulnerable application.
1) PHP File Inclusion in X2CRM: CVE-2013-5692
The vulnerability exists due to insufficient filtration of the "file" HTTP GET parameter passed to "/index.php/admin/translationManager" URL before using it in PHP "include()" function. A remote authenticated administrator can include and execute arbitrary local PHP files on the target system using directory traversal sequences.
The following exploitation example displays content of "/etc/passwd" file:
Successful exploitation of this vulnerability requires administrative privileges, however it can be also exploited via CSRF vector to which the application is prone.
Simple CSRF exploit below includes and executes "/tmp/file.php" script:
2) Cross-Site Scripting (XSS) in X2CRM: CVE-2013-5693
The vulnerability exists due to insufficient sanitisation of user-supplied data in "model" HTTP GET parameter passed to "/index.php/admin/editor" URL. A remote attacker can trick a logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
Update to X2CRM 3.5
http://x2community.com/index.php?/topic ... -released/
 High-Tech Bridge Advisory HTB23172 - https://www.htbridge.com/advisory/HTB23172 - Multiple vulnerabilities in X2CRM.
 X2CRM - http://www.x2engine.com - X2CRM is an open source based Sales, Marketing Automation and Service application designed exclusively for companies that require a tightly focused customer information system.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
 ImmuniWeb® - https://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.