CVE-2020-21088

low-risk
Published 2021-04-14

Cross Site Scripting (XSS) in X2engine X2CRM v7.1 and older allows remote attackers to obtain sensitive information by injecting arbitrary web script or HTML via the "First Name" and "Last Name" fields in "/index.php/contacts/create page"

Do I need to act?

-
0.26% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.8/10 Medium
NETWORK / LOW complexity

Affected Products (1)

X2Crm

Affected Vendors

X2Engine

References (4)

Exploit https://github.com/X2Engine/X2CRM/issues/161
Exploit https://github.com/X2Engine/X2CRM/issues/183
Exploit https://github.com/X2Engine/X2CRM/issues/161
Exploit https://github.com/X2Engine/X2CRM/issues/183
25
/ 100
low-risk
Severity 19/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal