CVE-2015-5076

Name of the Vulnerable Software and Affected Versions X2Engine X2CRM versions prior to 5.0.9

Description The issue allows remote attackers to inject arbitrary web script or HTML via multiple parameters in different files, including version in protected/views/admin/formEditor.php, importId in protected/views/admin/rollbackImport.php, bc, fg, bgc, or font in protected/views/site/listener.php, Services[*] in protected/components/views/webForm.php, file in protected/components/TranslationManager.php, x2 key in protected/tests/webscripts/x2WebTrackingTestPages/customWebLeadCaptureScriptTest.php, id in protected/modules/contacts/controllers/ContactsController.php, or lastEventId to index.php/profile/getEvents.

Recommendations For versions prior to 5.0.9, update to version 5.0.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable parameters, such as version, importId, bc, fg, bgc, font, Services[*], file, x2 key, id, and lastEventId, until a patch is available. Avoid using the vulnerable API endpoints, such as "index.php/profile/getEvents", with untrusted input until the issue is resolved.