CVE-2015-5074

X2Engine X2CRM < 5.0.8 - Authenticated Arbitrary File Upload via .pht Extension

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-5074. PoCs published by Portcullis.

AI-analyzed exploit summary CVE-2015-5074 describes a file upload vulnerability in X2Engine due to an incomplete blacklist of file extensions, allowing authenticated users to upload and execute PHP files with a .PHT extension. The advisory details the vulnerability, vendor communication, and remediation steps.

Description

Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension.

Exploits (1)

exploitdb WRITEUP
by Portcullis · textwebappsphp
https://www.exploit-db.com/exploits/38323

CVE-2015-5074 describes a file upload vulnerability in X2Engine due to an incomplete blacklist of file extensions, allowing authenticated users to upload and execute PHP files with a .PHT extension. The advisory details the vulnerability, vendor communication, and remediation steps.

Classification
Writeup 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: X2Engine (version not specified)
Auth required
Prerequisites: Authenticated access to the file upload functionality
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

EPSS 0.0751
EPSS Percentile 93.7%

Details

CWE
CWE-20
Status published
Products (1)
x2engine/x2crm < 5.0.8
Published Sep 29, 2015
Tracked Since Feb 18, 2026