CVE-2022-48177

MEDIUM

X2CRM 6.6-6.9 - Reflected Cross-Site Scripting via Import Records Model Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-48177. PoCs published by Betul Denizler.

AI-analyzed exploit summary This exploit demonstrates a reflected XSS vulnerability in X2CRM v6.6/6.9 via the 'model' parameter in an authenticated admin context. The payload injects malicious JavaScript into the page, triggering an alert upon load.

Description

X2CRM Open Source Sales CRM 6.6 and 6.9 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the adin/importModels Import Records Model field (model parameter). This vulnerability allows attackers to create malicious JavaScript that will be executed by the victim user's browser.

Exploits (1)

exploitdb WORKING POC
by Betul Denizler · textwebappsphp
https://www.exploit-db.com/exploits/51346

This exploit demonstrates a reflected XSS vulnerability in X2CRM v6.6/6.9 via the 'model' parameter in an authenticated admin context. The payload injects malicious JavaScript into the page, triggering an alert upon load.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: X2CRM v6.6/6.9
Auth required
Prerequisites: Authenticated admin session · Access to the admin import models page
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 5.4
EPSS 0.0183
EPSS Percentile 76.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
x2engine/x2crm 6.6
x2engine/x2crm 6.9
Published Apr 15, 2023
Tracked Since Feb 18, 2026