x2engine CVE Vulnerabilities & Metrics

Focus on x2engine vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About x2engine Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with x2engine. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total x2engine CVEs: 9
Earliest CVE date: 30 Sep 2013, 22:55 UTC
Latest CVE date: 14 Oct 2024, 14:15 UTC

Latest CVE reference: CVE-2024-48120

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical x2engine CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 5.08

Max CVSS: 8.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	3
4.0-6.9	6
7.0-8.9	3
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS x2engine CVEs

These are the five CVEs with the highest CVSS scores for x2engine, sorted by severity first and recency.

CVE-2013-5692 x2engine Published on 30 Sep 2013, 22:55 UTC (CVSS: 8.5)
Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php/admin/translationManager.
CVE-2015-5074 x2engine Published on 29 Sep 2015, 19:59 UTC (CVSS: 7.5)
Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension.
CVE-2014-5297 x2engine Published on 10 Oct 2014, 01:55 UTC (CVSS: 7.5)
The actionSendErrorReport method in protected/controllers/SiteController.php in X2Engine 2.8 through 4.1.7 allows remote attackers to conduct PHP object injection and Server-Side Request Forgery (SSRF) attacks via crafted serialized data in the report parameter.
CVE-2015-5075 x2engine Published on 29 Sep 2015, 19:59 UTC (CVSS: 6.8)
Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create.
CVE-2014-2664 x2engine Published on 17 Oct 2017, 15:29 UTC (CVSS: 6.5)
Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.

All CVEs for x2engine

CVE-2024-48120 x2engine vulnerability CVSS: 0 14 Oct 2024, 14:15 UTC

X2CRM v8.5 is vulnerable to a stored Cross-Site Scripting (XSS) in the "Opportunities" module. An attacker can inject malicious JavaScript code into the "Name" field when creating a list.

CVE-2021-33853 x2engine vulnerability CVSS: 3.5 16 Mar 2022, 15:15 UTC

A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted website. As the vehicle for the attack, the application targets the users and not the application itself. Additionally, the XSS payload is executed when the user attempts to access any page of the CRM.

CVE-2021-27288 x2engine vulnerability CVSS: 4.3 14 Apr 2021, 14:15 UTC

Cross Site Scripting (XSS) in X2Engine X2CRM v7.1 allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "Comment" field in "/profile/activity" page.

CVE-2020-21088 x2engine vulnerability CVSS: 3.5 14 Apr 2021, 14:15 UTC

Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "First Name" and "Last Name" fields in "/index.php/contacts/create page"

CVE-2020-21087 x2engine vulnerability CVSS: 4.3 14 Apr 2021, 14:15 UTC

Cross Site Scripting (XSS) in X2Engine X2CRM v6.9 and older allows remote attackers to execute arbitrary code by injecting arbitrary web script or HTML via the "New Name" field of the "Rename a Module" tool.

CVE-2014-2664 x2engine vulnerability CVSS: 6.5 17 Oct 2017, 15:29 UTC

Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.

CVE-2015-5076 x2engine vulnerability CVSS: 4.3 29 Sep 2015, 19:59 UTC

Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) version parameter in protected/views/admin/formEditor.php; the (2) importId parameter in protected/views/admin/rollbackImport.php; the (3) bc, (4) fg, (5) bgc, or (6) font parameter in protected/views/site/listener.php; the (7) Services[*] parameter in protected/components/views/webForm.php; the (8) file parameter in protected/components/TranslationManager.php; the (9) x2_key parameter in protected/tests/webscripts/x2WebTrackingTestPages/customWebLeadCaptureScriptTest.php; the (10) id parameter in protected/modules/contacts/controllers/ContactsController.php; or the (11) lastEventId parameter to index.php/profile/getEvents.

CVE-2015-5075 x2engine vulnerability CVSS: 6.8 29 Sep 2015, 19:59 UTC

Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create.

CVE-2015-5074 x2engine vulnerability CVSS: 7.5 29 Sep 2015, 19:59 UTC

Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension.

CVE-2014-5297 x2engine vulnerability CVSS: 7.5 10 Oct 2014, 01:55 UTC

The actionSendErrorReport method in protected/controllers/SiteController.php in X2Engine 2.8 through 4.1.7 allows remote attackers to conduct PHP object injection and Server-Side Request Forgery (SSRF) attacks via crafted serialized data in the report parameter.

CVE-2013-5693 x2engine vulnerability CVSS: 4.3 30 Sep 2013, 22:55 UTC

Cross-site scripting (XSS) vulnerability in X2Engine X2CRM before 3.5 allows remote attackers to inject arbitrary web script or HTML via the model parameter to index.php/admin/editor.

CVE-2013-5692 x2engine vulnerability CVSS: 8.5 30 Sep 2013, 22:55 UTC

Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php/admin/translationManager.