RSS   Vulnerabilities for 'Exponent cms'   RSS

2022-02-09
 
CVE-2022-23047

CWE-79
 

 
Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site"

 
 
CVE-2022-23048

CWE-434
 

 
Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute commands.

 
 
CVE-2022-23049

CWE-79
 

 
Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session.

 
2020-12-31
 
CVE-2016-9026

CWE-20
 

 
Exponent CMS before 2.6.0 has improper input validation in fileController.php.

 
 
CVE-2016-9025

CWE-20
 

 
Exponent CMS before 2.6.0 has improper input validation in purchaseOrderController.php.

 
 
CVE-2016-9023

CWE-20
 

 
Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php.

 
 
CVE-2016-9022

CWE-20
 

 
Exponent CMS before 2.6.0 has improper input validation in usersController.php.

 
 
CVE-2016-9021

CWE-20
 

 
Exponent CMS before 2.6.0 has improper input validation in storeController.php.

 
2019-05-24
 
CVE-2016-8900

CWE-74
 

 
Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expTagController.php related to change_tags.

 
 
CVE-2016-8898

CWE-89
 

 
Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/ecommerce/controllers/cartController.php.

 


Copyright 2024, cxsecurity.com

 

Back to Top