This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Exponentcms First view 2014-02-11
Product Exponent Cms Last view 2020-12-31
Version 2.1.0 Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:exponentcms:exponent_cms

Activity : Overall

Related : CVE

This CPE have more than 25 Relations. If you want to see a complete summary for this CPE, please contact us.
  Date Alert Description
9.8 2020-12-31 CVE-2016-9026

Exponent CMS before 2.6.0 has improper input validation in fileController.php.
9.8 2020-12-31 CVE-2016-9025

Exponent CMS before 2.6.0 has improper input validation in purchaseOrderController.php.
9.8 2020-12-31 CVE-2016-9023

Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php.
9.8 2020-12-31 CVE-2016-9022

Exponent CMS before 2.6.0 has improper input validation in usersController.php.
9.8 2020-12-31 CVE-2016-9021

Exponent CMS before 2.6.0 has improper input validation in storeController.php.
9.8 2018-03-06 CVE-2016-7443

Exponent CMS 2.3.0 through 2.3.9 allows remote attackers to have unspecified impact via vectors related to "uploading files to wrong location."
7.2 2018-03-03 CVE-2017-18213

In Exponent CMS before 2.4.1 Patch #6, certain admin users can elevate their privileges.
6.1 2017-04-24 CVE-2017-8085

In Exponent CMS before 2.4.1 Patch #5, XSS in elFinder is possible in framework/modules/file/connector/elfinder.php.
9.8 2017-04-21 CVE-2017-7991

Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serialized API key (apikey parameter) in the api function of framework/modules/eaas/controllers/eaasController.php.
9.8 2017-03-07 CVE-2016-9087

SQL injection vulnerability in framework/modules/filedownloads/controllers/filedownloadController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the fileid parameter.
9.8 2017-03-07 CVE-2016-9020

SQL injection vulnerability in framework/modules/help/controllers/helpController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the version parameter.
9.8 2017-03-07 CVE-2016-9019

SQL injection vulnerability in the activate_address function in framework/modules/addressbook/controllers/addressController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the is_what parameter.
9.8 2017-03-07 CVE-2016-7789

SQL injection vulnerability in framework/core/models/expConfig.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the apikey parameter.
9.8 2017-03-07 CVE-2016-7788

SQL injection vulnerability in framework/modules/users/models/user.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.
9.8 2017-03-07 CVE-2016-7784

SQL injection vulnerability in the getSection function in framework/core/subsystems/expRouter.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the section parameter.
9.8 2017-03-07 CVE-2016-7783

SQL injection vulnerability in framework/core/models/expRecord.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the title parameter.
9.8 2017-03-07 CVE-2016-7782

SQL injection vulnerability in framework/core/models/expConfig.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the src parameter.
9.8 2017-03-07 CVE-2016-7781

SQL injection vulnerability in framework/modules/blog/controllers/blogController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the author parameter.
9.8 2017-03-07 CVE-2016-7780

SQL injection vulnerability in cron/find_help.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the version parameter.
9.8 2017-02-07 CVE-2016-7400

Multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an activate_address address controller action, (2) title parameter in a show blog controller action, or (3) content_id parameter in a showComments expComment controller action.
6.1 2017-01-18 CVE-2015-8684

Exponent CMS before 2.3.7 does not properly restrict the types of files that can be uploaded, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly have other unspecified impact as demonstrated by uploading a file with an .html extension, then accessing it via the elFinder functionality.
6.1 2017-01-18 CVE-2015-8667

Cross-site scripting (XSS) vulnerability in Reset Your Password module in Exponent CMS before 2.3.5 allows remote attackers to inject arbitrary web script or HTML via the Username/Email.
9.8 2016-11-11 CVE-2016-9288

In framework/modules/navigation/controllers/navigationController.php in Exponent CMS v2.4.0 or older, the parameter "target" of function "DragnDropReRank" is directly used without any filtration which caused SQL injection. The payload can be used like this: /navigation/DragnDropReRank/target/1.
9.1 2016-11-11 CVE-2016-9272

A Blind SQL Injection Vulnerability in Exponent CMS through 2.4.0, with the rerank array parameter, can lead to site database information disclosure and denial of service.
9.8 2016-11-03 CVE-2016-7453

The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to perform an fid SQL Injection.

CWE : Common Weakness Enumeration

%idName
55% (16) CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('...
17% (5) CWE-20 Improper Input Validation
13% (4) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
10% (3) CWE-434 Unrestricted Upload of File with Dangerous Type
3% (1) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...

ExploitDB Exploits

id Description
25518 Exponent CMS 2.2.0 beta 3 - Multiple Vulnerabilities