Sql injection

Multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 allow remote attackers to execute arbitrary SQL commands via the 1 id parameter in an activateaddress address controller action, 2 title parameter in a show blog controller action, or 3 contentid parameter in a showComments...

CVE-2016-7400

Multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 allow remote attackers to execute arbitrary SQL commands via the 1 id parameter in an activateaddress address controller action, 2 title parameter in a show blog controller action, or 3 contentid parameter in a showComments...

CVE-2016-7400

Exponent CMS before 2.4.0 is affected by multiple SQL injection vulnerabilities (parameters: id in activate_address, title in show blog, content_id in showComments expComment) that allow remote attackers to execute arbitrary SQL. Official fix released in version 2.4.0; upgrade to 2.4.0 or apply v...

CVE-2016-7400

Multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 allow remote attackers to execute arbitrary SQL commands via the 1 id parameter in an activateaddress address controller action, 2 title parameter in a show blog controller action, or 3 contentid parameter in a showComments...

OIC Exponent CMS SQL Injection Vulnerability (CNVD-2017-01280)

OIC Exponent CMS is a free, open source modular content management system CMS based on PHP from the American OIC Group of companies. The system supports direct editing in the page, and provides user management, site configuration, content editing and other functions. A SQL injection vulnerability...

CVE-2017-5879

An issue was discovered in Exponent CMS 2.4.1. This is a blind SQL injection that can be exploited by un-authenticated users via an HTTP GET request and which can be used to dump database data out to a malicious server, using an out-of-band technique, such as selectloadfile. The vulnerability...

Sql injection

An issue was discovered in Exponent CMS 2.4.1. This is a blind SQL injection that can be exploited by un-authenticated users via an HTTP GET request and which can be used to dump database data out to a malicious server, using an out-of-band technique, such as selectloadfile. The vulnerability...

CVE-2017-5879

An issue was discovered in Exponent CMS 2.4.1. This is a blind SQL injection that can be exploited by un-authenticated users via an HTTP GET request and which can be used to dump database data out to a malicious server, using an out-of-band technique, such as selectloadfile. The vulnerability...

CVE-2017-5879

An issue was discovered in Exponent CMS 2.4.1. This is a blind SQL injection that can be exploited by un-authenticated users via an HTTP GET request and which can be used to dump database data out to a malicious server, using an out-of-band technique, such as selectloadfile. The vulnerability...

CVE-2017-5879

CVE-2017-5879 affects Exponent CMS 2.4.1. The issue is a blind SQL injection in the file/source_selector.php, targeting the src parameter, that can be exploited by unauthenticated users via an HTTP GET request and may allow dumping of database data to a malicious server using an out-of-band techn...

CVE-2016-2242

Exponent CMS 2.x before 2.3.7 Patch 3 allows remote attackers to execute arbitrary code via the sc parameter to install/index.php...

CVE-2016-2242

Exponent CMS 2.x before 2.3.7 Patch 3 allows remote attackers to execute arbitrary code via the sc parameter to install/index.php...

Code injection

Exponent CMS 2.x before 2.3.7 Patch 3 allows remote attackers to execute arbitrary code via the sc parameter to install/index.php...

CVE-2016-2242

Exponent CMS 2.x before 2.3.7 Patch 3 allows remote attackers to execute arbitrary code via the sc parameter to install/index.php...

CVE-2016-2242

Exponent CMS 2.x before 2.3.7 Patch 3 is vulnerable to remote code execution via the sc parameter to install/index.php. The HTBridge advisory details that an unauthenticated attacker can inject PHP code into /framework/conf/config.php, gaining arbitrary command execution with the web server, and ...

Cross site scripting

Exponent CMS before 2.3.7 does not properly restrict the types of files that can be uploaded, which allows remote attackers to conduct cross-site scripting XSS attacks and possibly have other unspecified impact as demonstrated by uploading a file with an .html extension, then accessing it via the...

Cross site scripting

Cross-site scripting XSS vulnerability in Reset Your Password module in Exponent CMS before 2.3.5 allows remote attackers to inject arbitrary web script or HTML via the Username/Email...

CVE-2015-8684

Exponent CMS before 2.3.7 does not properly restrict the types of files that can be uploaded, which allows remote attackers to conduct cross-site scripting XSS attacks and possibly have other unspecified impact as demonstrated by uploading a file with an .html extension, then accessing it via the...

CVE-2015-8667

Cross-site scripting XSS vulnerability in Reset Your Password module in Exponent CMS before 2.3.5 allows remote attackers to inject arbitrary web script or HTML via the Username/Email...

CVE-2015-8667

Cross-site scripting XSS vulnerability in Reset Your Password module in Exponent CMS before 2.3.5 allows remote attackers to inject arbitrary web script or HTML via the Username/Email...