Search...

Exponent CMS Information Disclosure and SQL Injection Vulnerabilities

2016-11-17T00:00:00

ID OPENVAS:1361412562310809728
Type openvas
Reporter Copyright (C) 2016 Greenbone Networks GmbH
Modified 2020-05-08T00:00:00

Description

This host is installed with Exponent CMS and is prone to sql injection and information disclosure vulnerabilities.

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
#
# Exponent CMS Information Disclosure and SQL Injection Vulnerabilities
#
# Authors:
# Shakeel &lt;bshakeel@secpod.com&gt;
#
# Copyright:
# Copyright (C) 2016 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

CPE = "cpe:/a:exponentcms:exponent_cms";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.809728");
  script_version("2020-05-08T08:34:44+0000");
  script_cve_id("CVE-2016-9284", "CVE-2016-9285", "CVE-2016-9282", "CVE-2016-9283",
                "CVE-2016-9242", "CVE-2016-9183", "CVE-2016-9184", "CVE-2016-9182",
                "CVE-2016-9481");
  script_bugtraq_id(94296, 94194, 94227, 94227, 94590);
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_tag(name:"last_modification", value:"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)");
  script_tag(name:"creation_date", value:"2016-11-17 13:31:19 +0530 (Thu, 17 Nov 2016)");
  script_name("Exponent CMS Information Disclosure and SQL Injection Vulnerabilities");
  script_category(ACT_ATTACK);
  script_copyright("Copyright (C) 2016 Greenbone Networks GmbH");
  script_family("Web application abuses");
  script_dependencies("gb_exponet_cms_detect.nasl");
  script_require_ports("Services/www", 80);
  script_mandatory_keys("ExponentCMS/installed");

  script_xref(name:"URL", value:"https://github.com/exponentcms/exponent-cms/releases");
  script_xref(name:"URL", value:"https://github.com/exponentcms/exponent-cms/releases/tag/v2.4.0patch1");
  script_xref(name:"URL", value:"https://github.com/exponentcms/exponent-cms/releases/tag/v2.4.0patch2");

  script_tag(name:"summary", value:"This host is installed with Exponent CMS
  and is prone to sql injection and information disclosure vulnerabilities.");

  script_tag(name:"vuldetect", value:"Send a crafted request via HTTP GET and
  check if response is disclosing sensitive user information.");

  script_tag(name:"insight", value:"Multiple flaws are due to,

  - An error in 'getUsersByJSON' in
  framework/modules/users/controllers/usersController.php script.

  - An error in framework/modules/addressbook/controllers/addressController.php
  script while passing input via modified id number.

  - An input passed via 'search_string' parameter to
  framework/modules/search/controllers/searchController.php script is not validated
  properly.

  - An error in framework/core/subsystems/expRouter.php script allowing to read
  database information via address/addContentToSearch/id/ and a trailing string.

  - Input passed via 'content_type' and 'subtype' parameter to
  framework/modules/core/controllers/expRatingController.php script is not validated
  properly.

  - Insufficient sanitization of input passed via 'selectObjectsBySql' to
  /framework/modules/ecommerce/controllers/orderController.php script.

  - Insufficient validation of input passed to
  /framework/modules/core/controllers/expHTMLEditorController.php script.

  - Exponent CMS permits undefined actions to execute by default.

  - Input passed via 'content_id' parameter into showComments within
  framework/modules/core/controllers/expCommentController.php script is not
  sanitized properly.");

  script_tag(name:"impact", value:"Successful exploitation will allow remote
  attackers to gain access to potentially sensitive information and execute
  arbitrary SQL commands.");

  script_tag(name:"affected", value:"Exponent CMS version 2.4.0.");

  script_tag(name:"solution", value:"Update to the latest release version.");

  script_tag(name:"solution_type", value:"VendorFix");
  script_tag(name:"qod_type", value:"remote_app");

  exit(0);
}

include("host_details.inc");
include("http_func.inc");
include("http_keepalive.inc");
include("misc_func.inc");

if( ! port = get_app_port( cpe:CPE ) ) exit( 0 );
if( ! dir = get_app_location( cpe:CPE, port:port ) ) exit( 0 );

if( dir == "/" ) dir = "";

vtstrings = get_vt_strings();

url = dir + "/users/getUsersByJSON/sort/" + vtstrings["default"] + "test";

if( http_vuln_check( port:port, url:url, check_header:TRUE,
                     pattern:'admin","password":"[a-zA-Z0-9]',
                     extra_check:make_list( 'content="Exponent Content Management System',
                                            "lastname", "firstname", "email", "recordsReturned" ) ) ) {
  report = http_report_vuln_url( port:port, url:url );
  security_message( port:port, data:report );
  exit( 0 );
}

exit( 99 );

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310809728", "type": "openvas", "bulletinFamily": "scanner", "title": "Exponent CMS Information Disclosure and SQL Injection Vulnerabilities", "description": "This host is installed with Exponent CMS\n and is prone to sql injection and information disclosure vulnerabilities.", "published": "2016-11-17T00:00:00", "modified": "2020-05-08T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809728", "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "references": ["https://github.com/exponentcms/exponent-cms/releases/tag/v2.4.0patch2", "https://github.com/exponentcms/exponent-cms/releases/tag/v2.4.0patch1", "https://github.com/exponentcms/exponent-cms/releases"], "cvelist": ["CVE-2016-9285", "CVE-2016-9183", "CVE-2016-9283", "CVE-2016-9184", "CVE-2016-9481", "CVE-2016-9242", "CVE-2016-9182", "CVE-2016-9282", "CVE-2016-9284"], "lastseen": "2020-05-12T17:23:19", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-9285", "CVE-2016-9282", "CVE-2016-9242", "CVE-2016-9184", "CVE-2016-9183", "CVE-2016-9284", "CVE-2016-9182", "CVE-2016-9481", "CVE-2016-9283"]}], "modified": "2020-05-12T17:23:19", "rev": 2}, "score": {"value": 5.4, "vector": "NONE", "modified": "2020-05-12T17:23:19", "rev": 2}, "vulnersScore": 5.4}, "pluginID": "1361412562310809728", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Exponent CMS Information Disclosure and SQL Injection Vulnerabilities\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:exponentcms:exponent_cms\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809728\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2016-9284\", \"CVE-2016-9285\", \"CVE-2016-9282\", \"CVE-2016-9283\",\n \"CVE-2016-9242\", \"CVE-2016-9183\", \"CVE-2016-9184\", \"CVE-2016-9182\",\n \"CVE-2016-9481\");\n script_bugtraq_id(94296, 94194, 94227, 94227, 94590);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-11-17 13:31:19 +0530 (Thu, 17 Nov 2016)\");\n script_name(\"Exponent CMS Information Disclosure and SQL Injection Vulnerabilities\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_exponet_cms_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"ExponentCMS/installed\");\n\n script_xref(name:\"URL\", value:\"https://github.com/exponentcms/exponent-cms/releases\");\n script_xref(name:\"URL\", value:\"https://github.com/exponentcms/exponent-cms/releases/tag/v2.4.0patch1\");\n script_xref(name:\"URL\", value:\"https://github.com/exponentcms/exponent-cms/releases/tag/v2.4.0patch2\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Exponent CMS\n and is prone to sql injection and information disclosure vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted request via HTTP GET and\n check if response is disclosing sensitive user information.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - An error in 'getUsersByJSON' in\n framework/modules/users/controllers/usersController.php script.\n\n - An error in framework/modules/addressbook/controllers/addressController.php\n script while passing input via modified id number.\n\n - An input passed via 'search_string' parameter to\n framework/modules/search/controllers/searchController.php script is not validated\n properly.\n\n - An error in framework/core/subsystems/expRouter.php script allowing to read\n database information via address/addContentToSearch/id/ and a trailing string.\n\n - Input passed via 'content_type' and 'subtype' parameter to\n framework/modules/core/controllers/expRatingController.php script is not validated\n properly.\n\n - Insufficient sanitization of input passed via 'selectObjectsBySql' to\n /framework/modules/ecommerce/controllers/orderController.php script.\n\n - Insufficient validation of input passed to\n /framework/modules/core/controllers/expHTMLEditorController.php script.\n\n - Exponent CMS permits undefined actions to execute by default.\n\n - Input passed via 'content_id' parameter into showComments within\n framework/modules/core/controllers/expCommentController.php script is not\n sanitized properly.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to potentially sensitive information and execute\n arbitrary SQL commands.\");\n\n script_tag(name:\"affected\", value:\"Exponent CMS version 2.4.0.\");\n\n script_tag(name:\"solution\", value:\"Update to the latest release version.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) ) exit( 0 );\nif( ! dir = get_app_location( cpe:CPE, port:port ) ) exit( 0 );\n\nif( dir == \"/\" ) dir = \"\";\n\nvtstrings = get_vt_strings();\n\nurl = dir + \"/users/getUsersByJSON/sort/\" + vtstrings[\"default\"] + \"test\";\n\nif( http_vuln_check( port:port, url:url, check_header:TRUE,\n pattern:'admin\",\"password\":\"[a-zA-Z0-9]',\n extra_check:make_list( 'content=\"Exponent Content Management System',\n \"lastname\", \"firstname\", \"email\", \"recordsReturned\" ) ) ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "naslFamily": "Web application abuses", "immutableFields": []}

{"cve": [{"lastseen": "2021-02-02T06:28:13", "description": "In /framework/modules/core/controllers/expHTMLEditorController.php of Exponent CMS 2.4.0, untrusted input is used to construct a table name, and in the selectObject method in mysqli class, table names are wrapped with a character that common filters do not filter, allowing for SQL Injection. Impact is Information Disclosure.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-11-04T10:59:00", "title": "CVE-2016-9184", "type": "cve", "cwe": ["CWE-200", "CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9184"], "modified": "2016-11-29T18:38:00", "cpe": ["cpe:/a:exponentcms:exponent_cms:2.4.0"], "id": "CVE-2016-9184", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9184", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:exponentcms:exponent_cms:2.4.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:13", "description": "Exponent CMS 2.4 uses PHP reflection to call a method of a controller class, and then uses the method name to check user permission. But, the method name in PHP reflection is case insensitive, and Exponent CMS permits undefined actions to execute by default, so an attacker can use a capitalized method name to bypass the permission check, e.g., controller=expHTMLEditor&action=preview&editor=ckeditor and controller=expHTMLEditor&action=Preview&editor=ckeditor. An anonymous user will be rejected for the former but can access the latter.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-11-04T10:59:00", "title": "CVE-2016-9182", "type": "cve", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9182"], "modified": "2016-11-29T18:37:00", "cpe": ["cpe:/a:exponentcms:exponent_cms:2.4.0"], "id": "CVE-2016-9182", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9182", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:exponentcms:exponent_cms:2.4.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:13", "description": "getUsersByJSON in framework/modules/users/controllers/usersController.php in Exponent CMS v2.4.0 allows remote attackers to read user information via users/getUsersByJSON/sort/ and a trailing string.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2016-11-11T22:59:00", "title": "CVE-2016-9284", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9284"], "modified": "2017-07-28T01:29:00", "cpe": ["cpe:/a:exponentcms:exponent_cms:2.4.0"], "id": "CVE-2016-9284", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9284", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:exponentcms:exponent_cms:2.4.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:13", "description": "framework/modules/addressbook/controllers/addressController.php in Exponent CMS v2.4.0 allows remote attackers to read user information via a modified id number, as demonstrated by address/edit/id/1, related to an \"addresses, countries, and regions\" issue.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2016-11-11T22:59:00", "title": "CVE-2016-9285", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9285"], "modified": "2017-07-28T01:29:00", "cpe": ["cpe:/a:exponentcms:exponent_cms:2.4.0"], "id": "CVE-2016-9285", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9285", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:exponentcms:exponent_cms:2.4.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:14", "description": "In framework/modules/core/controllers/expCommentController.php of Exponent CMS 2.4.0, content_id input is passed into showComments. The method showComments is defined in the expCommentControllercontroller with the parameter '$this->params['content_id']' used directly in SQL. Impact is a SQL injection.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-29T23:59:00", "title": "CVE-2016-9481", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9481"], "modified": "2017-07-28T01:29:00", "cpe": ["cpe:/a:exponentcms:exponent_cms:2.4.0"], "id": "CVE-2016-9481", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9481", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:exponentcms:exponent_cms:2.4.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:13", "description": "SQL Injection in framework/modules/search/controllers/searchController.php in Exponent CMS v2.4.0 allows remote attackers to read database information via action=search&module=search with the search_string parameter.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-11-11T22:59:00", "title": "CVE-2016-9282", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9282"], "modified": "2017-07-28T01:29:00", "cpe": ["cpe:/a:exponentcms:exponent_cms:2.4.0"], "id": "CVE-2016-9282", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9282", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:exponentcms:exponent_cms:2.4.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:13", "description": "In /framework/modules/ecommerce/controllers/orderController.php of Exponent CMS 2.4.0, untrusted input is passed into selectObjectsBySql. The method selectObjectsBySql of class mysqli_database uses the injectProof method to prevent SQL injection, but this filter can be bypassed easily: it only sanitizes user input if there are odd numbers of ' or \" characters. Impact is Information Disclosure.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-11-04T10:59:00", "title": "CVE-2016-9183", "type": "cve", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9183"], "modified": "2016-11-29T18:37:00", "cpe": ["cpe:/a:exponentcms:exponent_cms:2.4.0"], "id": "CVE-2016-9183", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9183", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:exponentcms:exponent_cms:2.4.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:13", "description": "SQL Injection in framework/core/subsystems/expRouter.php in Exponent CMS v2.4.0 allows remote attackers to read database information via address/addContentToSearch/id/ and a trailing string, related to a \"sef URL\" issue.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2016-11-11T22:59:00", "title": "CVE-2016-9283", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9283"], "modified": "2017-07-28T01:29:00", "cpe": ["cpe:/a:exponentcms:exponent_cms:2.4.0"], "id": "CVE-2016-9283", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9283", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:exponentcms:exponent_cms:2.4.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:13", "description": "Multiple SQL injection vulnerabilities in the update method in framework/modules/core/controllers/expRatingController.php in Exponent CMS 2.4.0 allow remote authenticated users to execute arbitrary SQL commands via the (1) content_type or (2) subtype parameter.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-07T11:59:00", "title": "CVE-2016-9242", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-9242"], "modified": "2016-11-29T18:23:00", "cpe": ["cpe:/a:exponentcms:exponent_cms:2.4.0"], "id": "CVE-2016-9242", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9242", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:exponentcms:exponent_cms:2.4.0:*:*:*:*:*:*:*"]}]}