CVE-2013-5692

X2Engine X2CRM < 3.5 - Authenticated Path Traversal via Translation Manager File Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-5692. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary The advisory details two vulnerabilities in X2CRM: a PHP file inclusion vulnerability (CVE-2013-5692) allowing arbitrary local file inclusion via the 'file' parameter, and a cross-site scripting (XSS) vulnerability (CVE-2013-5693) via the 'model' parameter. Both require administrative privileges or CSRF exploitation.

Description

Directory traversal vulnerability in X2Engine X2CRM before 3.5 allows remote authenticated administrators to include and execute arbitrary local files via a .. (dot dot) in the file parameter to index.php/admin/translationManager.

Exploits (1)

exploitdb WRITEUP
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/28557

The advisory details two vulnerabilities in X2CRM: a PHP file inclusion vulnerability (CVE-2013-5692) allowing arbitrary local file inclusion via the 'file' parameter, and a cross-site scripting (XSS) vulnerability (CVE-2013-5693) via the 'model' parameter. Both require administrative privileges or CSRF exploitation.

Classification
Writeup 100%
Attack Type
Info Leak | Xss
Complexity
Moderate
Reliability
Reliable
Target: X2CRM 3.4.1 and prior
Auth required
Prerequisites: Administrative access or CSRF vector · Target running vulnerable X2CRM version
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/28557
Vendor Advisory x_refsource_misc
https://www.htbridge.com/advisory/HTB23172
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2013-09/0117.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/97365

Scores

EPSS 0.0579
EPSS Percentile 92.1%

Details

CWE
CWE-22
Status published
Products (31)
x2engine/x2crm 1.0
x2engine/x2crm 1.0.1
x2engine/x2crm 1.1.0
x2engine/x2crm 1.2.0
x2engine/x2crm 1.2.1
x2engine/x2crm 1.2.2
x2engine/x2crm 1.3
x2engine/x2crm 1.3.1
x2engine/x2crm 2.2
x2engine/x2crm 2.2.1
... and 21 more
Published Sep 30, 2013
Tracked Since Feb 18, 2026