Vulnerabilities for Exponent cms (...) - CXSECURITY.COM

Vulnerabilities for 'Exponent cms'

2022-02-09

CVE-2022-23047

CWE-79

Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site"

CVE-2022-23048

CWE-434

Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute commands.

CVE-2022-23049

CWE-79

Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session.

2020-12-31

CVE-2016-9026

CWE-20

Exponent CMS before 2.6.0 has improper input validation in fileController.php.

CVE-2016-9025

CWE-20

Exponent CMS before 2.6.0 has improper input validation in purchaseOrderController.php.

CVE-2016-9023

CWE-20

Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php.

CVE-2016-9022

CWE-20

Exponent CMS before 2.6.0 has improper input validation in usersController.php.

CVE-2016-9021

CWE-20

Exponent CMS before 2.6.0 has improper input validation in storeController.php.

2019-05-24

CVE-2016-8900

CWE-74

Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expTagController.php related to change_tags.

CVE-2016-8898

CWE-89

Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/ecommerce/controllers/cartController.php.

Copyright 2024, cxsecurity.com