Posted by Portcullis Advisories on Sep 25

Vulnerability title: Cross-Site Request Forgery In X2Engine Inc. X2Engine
CVE: CVE-2015-5075
Vendor: X2Engine Inc.
Product: X2Engine
Affected version: 4.2
Fixed version: 5.2
Reported by: Simone Quatrini
Details:

It was discovered that no protection against Cross-site Request Forgery attacks was implemented, resulting in an
attacker being able to able to force the creation of a new administrative account.

Further details at:…

Posted by Portcullis Advisories on Sep 25

Vulnerability title: Reflective XSS In X2Engine Inc. X2Engine
CVE: CVE-2015-5076
Vendor: X2Engine Inc.
Product: X2Engine
Affected version: 4.2
Fixed version: 5.2
Reported by: Simone Quatrini
Details:

It was discovered that the web application was vulnerable to reflective Cross-Site Scripting where user supplied data
is used to generate the subsequent response. This is a normal feature of many applications, however, in this instance
the…

Posted by Portcullis Advisories on Sep 25

Vulnerability title: Arbitrary File Upload In X2Engine Inc. X2Engine
CVE: CVE-2015-5074
Vendor: X2Engine Inc.
Product: X2Engine
Affected version: 4.2
Fixed version: 5.2
Reported by: Simone Quatrini
Details:

It was discovered that authenticated users were able to upload files of any type providing that the file did not have
an extension that was listed in the following blacklist:

const EXT_BLACKLIST =…