CVE-2021-33853: Stored XSS in X2CRM – Securin Advisory

Stored Cross-Site Scripting in X2CRM

A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user's browser while the browser is connected to a trusted website. Additionally, the XSS payload is executed when the user attempts to access any page of the X2CRM application.

CVE IDCVE-2021-33853

CVSS v3.15.4 Medium

VendorX2CRM

CWECWE-79

DisclosedDec 1, 2021

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A Cross-Site Scripting (XSS) attack can cause arbitrary code (javascript) to run in a user’s browser while the browser is connected to a trusted website. As the vehicle for the attack, the application targets the users and not the application itself. Additionally, the XSS payload is executed when the user attempts to access any page of the CRM.

Vendor: X2CRM
Affected Product: X2CRM
CVE: CVE-2021-33853
Securin ID: 2021-CSW-11-1054
Status: Fixed
Date: December 1, 2021
Severity: Medium
CVSS Score: 5.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

01The following vulnerability was discovered in X2CRM version 8.0.02Issue: Stored Cross-Site Scripting03Figure 1: Add Top Bar Page04Figure 2: Payload injected in “Link Name” field05Figure 3: XSS Payload Triggered

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An attacker can perform the following:

Medium

Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.

Medium

Modify the code and get the session information of other users.

High

Compromise the user machine.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Perform context-sensitive encoding of entrusted input before echoing back to a browser using an encoding library throughout the application.

N/A

Implement input validation for special characters on all the variables are reflected in the browser and stored in the database.

N/A

Explicitly set the character set encoding for each page generated by the webserver.

N/A

Encode dynamic output elements and filter specific characters in dynamic elements.

N/A

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2021-33853, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

November 11, 2021

Discovered in X2CRM 8.0` Product

December 1, 2021

CSW team reported to Vendor about the vulnerability.

January 20, 2022

X2CRM team postponed the release of X2CRM 8.5.

February 1, 2022

Vendor fixed the issue.

February 1, 2022

CSW assigned the CVE Identifier (CVE-2021-33853).

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2021-33853

nvd.nist.gov/vuln/detail/CVE-2021-33853 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Stored Cross-Site Scripting in X2CRM

CVE IDCVE-2021-33853

CVSS v3.15.4 Medium

VendorX2CRM

CWECWE-79

DisclosedDec 1, 2021

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Vendor: X2CRM
Affected Product: X2CRM
CVE: CVE-2021-33853
Securin ID: 2021-CSW-11-1054
Status: Fixed
Date: December 1, 2021
Severity: Medium
CVSS Score: 5.4
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An attacker can perform the following:

Medium

Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.

Medium

Modify the code and get the session information of other users.

High

Compromise the user machine.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Perform context-sensitive encoding of entrusted input before echoing back to a browser using an encoding library throughout the application.

N/A

Implement input validation for special characters on all the variables are reflected in the browser and stored in the database.

N/A

Explicitly set the character set encoding for each page generated by the webserver.

N/A

Encode dynamic output elements and filter specific characters in dynamic elements.

N/A

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2021-33853, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

November 11, 2021

Discovered in X2CRM 8.0` Product

December 1, 2021

CSW team reported to Vendor about the vulnerability.

January 20, 2022

X2CRM team postponed the release of X2CRM 8.5.

February 1, 2022

Vendor fixed the issue.

February 1, 2022

CSW assigned the CVE Identifier (CVE-2021-33853).

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2021-33853

nvd.nist.gov/vuln/detail/CVE-2021-33853 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Stored Cross-Site Scripting in X2CRM

What this actually is.

From one requestto root shell.

What an attacker does to you.

Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.

Modify the code and get the session information of other users.

Compromise the user machine.

Fix it. In this order.

Perform context-sensitive encoding of entrusted input before echoing back to a browser using an encoding library throughout the application.

Implement input validation for special characters on all the variables are reflected in the browser and stored in the database.

Explicitly set the character set encoding for each page generated by the webserver.

Encode dynamic output elements and filter specific characters in dynamic elements.

Vendors moved in days.Attackers in hours.

Discovered in X2CRM 8.0` Product

CSW team reported to Vendor about the vulnerability.

X2CRM team postponed the release of X2CRM 8.5.

Vendor fixed the issue.

CSW assigned the CVE Identifier (CVE-2021-33853).

Cite, verify, go deeper.

NVD — CVE-2021-33853

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Stored Cross-Site Scripting in X2CRM

What this actually is.

From one requestto root shell.

What an attacker does to you.

Inject malicious code into the vulnerable variable and exploit the application through the Cross-Site Scripting vulnerability.

Modify the code and get the session information of other users.

Compromise the user machine.

Fix it. In this order.

Perform context-sensitive encoding of entrusted input before echoing back to a browser using an encoding library throughout the application.

Implement input validation for special characters on all the variables are reflected in the browser and stored in the database.

Explicitly set the character set encoding for each page generated by the webserver.

Encode dynamic output elements and filter specific characters in dynamic elements.

Vendors moved in days.Attackers in hours.

Discovered in X2CRM 8.0` Product

CSW team reported to Vendor about the vulnerability.

X2CRM team postponed the release of X2CRM 8.5.

Vendor fixed the issue.

CSW assigned the CVE Identifier (CVE-2021-33853).

Cite, verify, go deeper.

NVD — CVE-2021-33853

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.