Exponent Cms@2.6.0 Security Vulnerabilities and Issues — Exponent Cms@2.6.0 CVE List

Lucene search

ExponentcmsExponent Cms2.6.0

3 matches found

CVE•added 2022/02/09 11:15 p.m.•113 views

CVE-2022-23048

Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute commands.

7.2CVSS7AI score0.04582EPSS

CVE•added 2022/02/09 11:15 p.m.•90 views

CVE-2022-23049

Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session.

5.4CVSS5.4AI score0.00833EPSS

CVE•added 2022/02/09 11:15 p.m.•63 views

CVE-2022-23047

Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site"

4.8CVSS5.1AI score0.00854EPSS