Lucene search

K

15 matches found

CVE
CVE
added 2017/02/07 3:59 p.m.51 views

CVE-2016-7400

Multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an activate_address address controller action, (2) title parameter in a show blog controller action, or (3) content_id parameter in a showComments...

9.8CVSS10AI score0.18219EPSS
CVE
CVE
added 2017/01/18 5:59 p.m.41 views

CVE-2015-8684

Exponent CMS before 2.3.7 does not properly restrict the types of files that can be uploaded, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly have other unspecified impact as demonstrated by uploading a file with an .html extension, then accessing it via the...

6.1CVSS6.2AI score0.00239EPSS
CVE
CVE
added 2017/03/07 4:59 p.m.38 views

CVE-2016-9087

SQL injection vulnerability in framework/modules/filedownloads/controllers/filedownloadController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the fileid parameter.

9.8CVSS10AI score0.02606EPSS
CVE
CVE
added 2017/03/07 4:59 p.m.37 views

CVE-2016-7780

SQL injection vulnerability in cron/find_help.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the version parameter.

9.8CVSS10AI score0.00587EPSS
CVE
CVE
added 2017/04/24 2:59 p.m.36 views

CVE-2017-8085

In Exponent CMS before 2.4.1 Patch #5, XSS in elFinder is possible in framework/modules/file/connector/elfinder.php.

6.1CVSS5.9AI score0.00368EPSS
CVE
CVE
added 2017/03/07 4:59 p.m.35 views

CVE-2016-7782

SQL injection vulnerability in framework/core/models/expConfig.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the src parameter.

9.8CVSS10AI score0.00587EPSS
CVE
CVE
added 2017/03/07 4:59 p.m.35 views

CVE-2016-9019

SQL injection vulnerability in the activate_address function in framework/modules/addressbook/controllers/addressController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the is_what parameter.

9.8CVSS10AI score0.00665EPSS
CVE
CVE
added 2017/04/22 1:59 a.m.35 views

CVE-2017-7991

Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serialized API key (apikey parameter) in the api function of framework/modules/eaas/controllers/eaasController.php.

9.8CVSS9.8AI score0.01354EPSS
CVE
CVE
added 2017/03/07 4:59 p.m.34 views

CVE-2016-7781

SQL injection vulnerability in framework/modules/blog/controllers/blogController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the author parameter.

9.8CVSS10AI score0.00587EPSS
CVE
CVE
added 2017/03/07 4:59 p.m.34 views

CVE-2016-7783

SQL injection vulnerability in framework/core/models/expRecord.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the title parameter.

9.8CVSS10AI score0.00587EPSS
CVE
CVE
added 2017/03/07 4:59 p.m.34 views

CVE-2016-9020

SQL injection vulnerability in framework/modules/help/controllers/helpController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the version parameter.

9.8CVSS10AI score0.00718EPSS
CVE
CVE
added 2017/03/07 4:59 p.m.33 views

CVE-2016-7788

SQL injection vulnerability in framework/modules/users/models/user.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.

9.8CVSS10AI score0.00587EPSS
CVE
CVE
added 2017/01/18 5:59 p.m.31 views

CVE-2015-8667

Cross-site scripting (XSS) vulnerability in Reset Your Password module in Exponent CMS before 2.3.5 allows remote attackers to inject arbitrary web script or HTML via the Username/Email.

6.1CVSS6AI score0.00229EPSS
CVE
CVE
added 2017/03/07 4:59 p.m.31 views

CVE-2016-7789

SQL injection vulnerability in framework/core/models/expConfig.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the apikey parameter.

9.8CVSS10AI score0.00678EPSS
CVE
CVE
added 2017/03/07 4:59 p.m.29 views

CVE-2016-7784

SQL injection vulnerability in the getSection function in framework/core/subsystems/expRouter.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the section parameter.

9.8CVSS10AI score0.00587EPSS