2 matches found
Exponent CMS eaasController.php api Function SQL Injection (CVE-2017-7991)
A SQL injection vulnerability has been reported in Exponent CMS. The vulnerability is due to a lack of input validation on the apikey HTTP parameter by the api function. A remote, unauthenticated user can exploit this vulnerability by sending a crafted HTTP request to the affected page...
CVE-2017-7991
Exponent CMS 2.4.1 and earlier is affected by a SQL injection in the api() function of framework/modules/eaas/controllers/eaasController.php. The root cause is lack of input validation on the apikey parameter, which is base64-encoded, URL-decoded, and unserialized (via expUnserialize) before furt...