Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

Exponent Cms Security Vulnerabilities

cve
cve

CVE-2016-9481

In framework/modules/core/controllers/expCommentController.php of Exponent CMS 2.4.0, content_id input is passed into showComments. The method showComments is defined in the expCommentControllercontroller with the parameter '$this->params['content_id']' used directly in SQL. Impact is a SQL inje...

9.8CVSS

9.8AI Score

0.002EPSS

2016-11-29 11:59 PM
21
cve
cve

CVE-2017-18213

In Exponent CMS before 2.4.1 Patch #6, certain admin users can elevate their privileges.

7.2CVSS

7AI Score

0.001EPSS

2018-03-04 02:29 AM
25
cve
cve

CVE-2017-5879

An issue was discovered in Exponent CMS 2.4.1. This is a blind SQL injection that can be exploited by un-authenticated users via an HTTP GET request and which can be used to dump database data out to a malicious server, using an out-of-band technique, such as select_loadfile(). The vulnerability af...

9.8CVSS

9.7AI Score

0.002EPSS

2017-02-06 03:59 PM
28
cve
cve

CVE-2017-7991

Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serialized API key (apikey parameter) in the api function of framework/modules/eaas/controllers/eaasController.php.

9.8CVSS

9.8AI Score

0.135EPSS

2017-04-22 01:59 AM
25
cve
cve

CVE-2017-8085

In Exponent CMS before 2.4.1 Patch #5, XSS in elFinder is possible in framework/modules/file/connector/elfinder.php.

6.1CVSS

5.9AI Score

0.001EPSS

2017-04-24 02:59 PM
27
cve
cve

CVE-2021-32441

SQL Injection vulnerability in Exponent-CMS v.2.6.0 fixed in 2.7.0 allows attackers to gain access to sensitive information via the selectValue function in the expConfig class.

7.5CVSS

7.9AI Score

0.001EPSS

2023-02-17 06:15 PM
16
cve
cve

CVE-2022-23047

Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site"

4.8CVSS

5.1AI Score

0.001EPSS

2022-02-09 11:15 PM
58
cve
cve

CVE-2022-23048

Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute commands.

7.2CVSS

7AI Score

0.002EPSS

2022-02-09 11:15 PM
105
cve
cve

CVE-2022-23049

Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session.

5.4CVSS

5.4AI Score

0.001EPSS

2022-02-09 11:15 PM
83
Total number of security vulnerabilities59