exponentcms/exponent-cms

GitHub

github.com

exponentcms.org

Releases153

Frequency1 month 4 days

Last Release 9 months ago

Stars60

Content Management, Simple.

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2021-32441 ↗	Feb 17, 2023Friday, 17 February 2023, 18:15	7.5 HIGH	—
SQL Injection vulnerability in Exponent-CMS v.2.6.0 fixed in 2.7.0 allows attackers to gain access to sensitive information via the selectValue function in the expConfig class.
CVE-2022-23049 ↗	Feb 9, 2022Wednesday, 9 February 2022, 23:15	5.4 MEDIUM	3.5 LOW
Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session.
CVE-2022-23048 ↗	Feb 9, 2022Wednesday, 9 February 2022, 23:15	7.2 HIGH	6.5 MEDIUM
Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute commands.
CVE-2022-23047 ↗	Feb 9, 2022Wednesday, 9 February 2022, 23:15	4.8 MEDIUM	3.5 LOW
Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site"
CVE-2021-38751 ↗	Aug 16, 2021Monday, 16 August 2021, 14:15	4.3 MEDIUM	4.3 MEDIUM
A HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value, leading to a possible attack vector for MITM.
CVE-2016-9026 ↗	Dec 31, 2020Thursday, 31 December 2020, 03:15	9.8 CRITICAL	7.5 HIGH
Exponent CMS before 2.6.0 has improper input validation in fileController.php.
CVE-2016-9025 ↗	Dec 31, 2020Thursday, 31 December 2020, 03:15	9.8 CRITICAL	7.5 HIGH
Exponent CMS before 2.6.0 has improper input validation in purchaseOrderController.php.
CVE-2016-9023 ↗	Dec 31, 2020Thursday, 31 December 2020, 03:15	9.8 CRITICAL	7.5 HIGH
Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php.
CVE-2016-9022 ↗	Dec 31, 2020Thursday, 31 December 2020, 03:15	9.8 CRITICAL	7.5 HIGH
Exponent CMS before 2.6.0 has improper input validation in usersController.php.
CVE-2016-9021 ↗	Dec 31, 2020Thursday, 31 December 2020, 03:15	9.8 CRITICAL	7.5 HIGH
Exponent CMS before 2.6.0 has improper input validation in storeController.php.
CVE-2016-8900 ↗	May 24, 2019Friday, 24 May 2019, 17:29	—	7.5 HIGH
Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expTagController.php related to change_tags.
CVE-2016-8898 ↗	May 24, 2019Friday, 24 May 2019, 17:29	—	7.5 HIGH
Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/ecommerce/controllers/cartController.php.
CVE-2016-8899 ↗	May 23, 2019Thursday, 23 May 2019, 19:29	—	7.5 HIGH
Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expCatController.php related to change_cats.
CVE-2016-8897 ↗	May 23, 2019Thursday, 23 May 2019, 19:29	—	7.5 HIGH
Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/help/controllers/helpController.php.
CVE-2016-7443 ↗	Mar 7, 2018Wednesday, 7 March 2018, 02:29	—	7.5 HIGH
Exponent CMS 2.3.0 through 2.3.9 allows remote attackers to have unspecified impact via vectors related to "uploading files to wrong location."
CVE-2017-18213 ↗	Mar 4, 2018Sunday, 4 March 2018, 02:29	—	6.5 MEDIUM
In Exponent CMS before 2.4.1 Patch #6, certain admin users can elevate their privileges.
CVE-2017-8085 ↗	Apr 24, 2017Monday, 24 April 2017, 14:59	—	4.3 MEDIUM
In Exponent CMS before 2.4.1 Patch #5, XSS in elFinder is possible in framework/modules/file/connector/elfinder.php.
CVE-2017-7991 ↗	Apr 22, 2017Saturday, 22 April 2017, 01:59	—	7.5 HIGH
Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serialized API key (apikey parameter) in the api function of framework/modules/eaas/controllers/eaasController.php.
CVE-2016-7788 ↗	Mar 7, 2017Tuesday, 7 March 2017, 16:59	—	7.5 HIGH
SQL injection vulnerability in framework/modules/users/models/user.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.
CVE-2016-7780 ↗	Mar 7, 2017Tuesday, 7 March 2017, 16:59	—	7.5 HIGH
SQL injection vulnerability in cron/find_help.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the version parameter.
CVE-2016-9087 ↗	Mar 7, 2017Tuesday, 7 March 2017, 16:59	—	7.5 HIGH
SQL injection vulnerability in framework/modules/filedownloads/controllers/filedownloadController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the fileid parameter.
CVE-2016-7781 ↗	Mar 7, 2017Tuesday, 7 March 2017, 16:59	—	7.5 HIGH
SQL injection vulnerability in framework/modules/blog/controllers/blogController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the author parameter.
CVE-2016-7784 ↗	Mar 7, 2017Tuesday, 7 March 2017, 16:59	—	7.5 HIGH
SQL injection vulnerability in the getSection function in framework/core/subsystems/expRouter.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the section parameter.
CVE-2016-9020 ↗	Mar 7, 2017Tuesday, 7 March 2017, 16:59	—	7.5 HIGH
SQL injection vulnerability in framework/modules/help/controllers/helpController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the version parameter.
CVE-2016-7565 ↗	Feb 13, 2017Monday, 13 February 2017, 18:59	—	7.5 HIGH
install/index.php in Exponent CMS 2.3.9 allows remote attackers to execute arbitrary commands via shell metacharacters in the sc array parameter.
CVE-2016-7400 ↗	Feb 7, 2017Tuesday, 7 February 2017, 15:59	—	7.5 HIGH
Multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an activate_address address controller action, (2) title parameter in a show blog controller action, or (3) content_id parameter in a showComments expComment controller action.
CVE-2017-5879 ↗	Feb 6, 2017Monday, 6 February 2017, 15:59	—	7.5 HIGH
An issue was discovered in Exponent CMS 2.4.1. This is a blind SQL injection that can be exploited by un-authenticated users via an HTTP GET request and which can be used to dump database data out to a malicious server, using an out-of-band technique, such as select_loadfile(). The vulnerability affects source_selector.php and the following parameter: src.
CVE-2016-9287 ↗	Nov 15, 2016Tuesday, 15 November 2016, 11:59	—	7.5 HIGH
In /framework/modules/notfound/controllers/notfoundController.php of Exponent CMS 2.4.0 patch1, untrusted input is passed into getSearchResults. The method getSearchResults is defined in the search model with the parameter '$term' used directly in SQL. Impact is a SQL injection.
CVE-2016-9288 ↗	Nov 11, 2016Friday, 11 November 2016, 23:59	—	7.5 HIGH
In framework/modules/navigation/controllers/navigationController.php in Exponent CMS v2.4.0 or older, the parameter "target" of function "DragnDropReRank" is directly used without any filtration which caused SQL injection. The payload can be used like this: /navigation/DragnDropReRank/target/1.
CVE-2016-9286 ↗	Nov 11, 2016Friday, 11 November 2016, 22:59	—	5 MEDIUM
framework/modules/users/controllers/usersController.php in Exponent CMS v2.4.0patch1 does not properly restrict access to user records, which allows remote attackers to read address information, as demonstrated by an address/show/id/1 URI.
CVE-2016-9285 ↗	Nov 11, 2016Friday, 11 November 2016, 22:59	—	5 MEDIUM
framework/modules/addressbook/controllers/addressController.php in Exponent CMS v2.4.0 allows remote attackers to read user information via a modified id number, as demonstrated by address/edit/id/1, related to an "addresses, countries, and regions" issue.
CVE-2016-9284 ↗	Nov 11, 2016Friday, 11 November 2016, 22:59	—	5 MEDIUM
getUsersByJSON in framework/modules/users/controllers/usersController.php in Exponent CMS v2.4.0 allows remote attackers to read user information via users/getUsersByJSON/sort/ and a trailing string.
CVE-2016-9283 ↗	Nov 11, 2016Friday, 11 November 2016, 22:59	—	5 MEDIUM
SQL Injection in framework/core/subsystems/expRouter.php in Exponent CMS v2.4.0 allows remote attackers to read database information via address/addContentToSearch/id/ and a trailing string, related to a "sef URL" issue.
CVE-2016-9282 ↗	Nov 11, 2016Friday, 11 November 2016, 22:59	—	5 MEDIUM
SQL Injection in framework/modules/search/controllers/searchController.php in Exponent CMS v2.4.0 allows remote attackers to read database information via action=search&module=search with the search_string parameter.
CVE-2016-9272 ↗	Nov 11, 2016Friday, 11 November 2016, 11:59	—	6.4 MEDIUM
A Blind SQL Injection Vulnerability in Exponent CMS through 2.4.0, with the rerank array parameter, can lead to site database information disclosure and denial of service.
CVE-2016-9242 ↗	Nov 7, 2016Monday, 7 November 2016, 11:59	—	6.5 MEDIUM
Multiple SQL injection vulnerabilities in the update method in framework/modules/core/controllers/expRatingController.php in Exponent CMS 2.4.0 allow remote authenticated users to execute arbitrary SQL commands via the (1) content_type or (2) subtype parameter.
CVE-2016-9184 ↗	Nov 4, 2016Friday, 4 November 2016, 10:59	—	5 MEDIUM
In /framework/modules/core/controllers/expHTMLEditorController.php of Exponent CMS 2.4.0, untrusted input is used to construct a table name, and in the selectObject method in mysqli class, table names are wrapped with a character that common filters do not filter, allowing for SQL Injection. Impact is Information Disclosure.
CVE-2016-9183 ↗	Nov 4, 2016Friday, 4 November 2016, 10:59	—	5 MEDIUM
In /framework/modules/ecommerce/controllers/orderController.php of Exponent CMS 2.4.0, untrusted input is passed into selectObjectsBySql. The method selectObjectsBySql of class mysqli_database uses the injectProof method to prevent SQL injection, but this filter can be bypassed easily: it only sanitizes user input if there are odd numbers of ' or " characters. Impact is Information Disclosure.
CVE-2016-9182 ↗	Nov 4, 2016Friday, 4 November 2016, 10:59	—	5 MEDIUM
Exponent CMS 2.4 uses PHP reflection to call a method of a controller class, and then uses the method name to check user permission. But, the method name in PHP reflection is case insensitive, and Exponent CMS permits undefined actions to execute by default, so an attacker can use a capitalized method name to bypass the permission check, e.g., controller=expHTMLEditor&action=preview&editor=ckeditor and controller=expHTMLEditor&action=Preview&editor=ckeditor. An anonymous user will be rejected for the former but can access the latter.
CVE-2016-9135 ↗	Nov 3, 2016Thursday, 3 November 2016, 10:59	—	5 MEDIUM
Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/framework/modules/help/controllers/helpController.php" affecting the version parameter. Impact is Information Disclosure.
CVE-2016-9134 ↗	Nov 3, 2016Thursday, 3 November 2016, 10:59	—	5 MEDIUM
Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/expPaginator.php" affecting the order parameter. Impact is Information Disclosure.
CVE-2016-7453 ↗	Nov 3, 2016Thursday, 3 November 2016, 10:59	—	7.5 HIGH
The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to perform an fid SQL Injection.
CVE-2016-7452 ↗	Nov 3, 2016Thursday, 3 November 2016, 10:59	—	5 MEDIUM
The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to upload a malicious file to any folder on the site via a cpi directory traversal.
CVE-2016-7095 ↗	Nov 3, 2016Thursday, 3 November 2016, 10:59	—	7.5 HIGH
Exponent CMS before 2.3.9 is vulnerable to an attacker uploading a malicious script file using redirection to place the script in an unprotected folder, one allowing script execution.