Vulnerabilities (CVE)

Filtered by vendor Exponentcms Subscribe
Total 60 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-32441 1 Exponentcms 1 Exponent Cms 2024-02-28 N/A 7.5 HIGH
SQL Injection vulnerability in Exponent-CMS v.2.6.0 fixed in 2.7.0 allows attackers to gain access to sensitive information via the selectValue function in the expConfig class.
CVE-2022-23049 1 Exponentcms 1 Exponent Cms 2024-02-28 3.5 LOW 5.4 MEDIUM
Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session.
CVE-2022-23047 1 Exponentcms 1 Exponent Cms 2024-02-28 3.5 LOW 4.8 MEDIUM
Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site"
CVE-2022-23048 1 Exponentcms 1 Exponent Cms 2024-02-28 6.5 MEDIUM 7.2 HIGH
Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute commands.
CVE-2021-38751 1 Exponentcms 1 Exponentcms 2024-02-28 4.3 MEDIUM 4.3 MEDIUM
A HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value, leading to a possible attack vector for MITM.
CVE-2016-9022 1 Exponentcms 1 Exponent Cms 2024-02-28 7.5 HIGH 9.8 CRITICAL
Exponent CMS before 2.6.0 has improper input validation in usersController.php.
CVE-2016-9023 1 Exponentcms 1 Exponent Cms 2024-02-28 7.5 HIGH 9.8 CRITICAL
Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php.
CVE-2016-9025 1 Exponentcms 1 Exponent Cms 2024-02-28 7.5 HIGH 9.8 CRITICAL
Exponent CMS before 2.6.0 has improper input validation in purchaseOrderController.php.
CVE-2016-9021 1 Exponentcms 1 Exponent Cms 2024-02-28 7.5 HIGH 9.8 CRITICAL
Exponent CMS before 2.6.0 has improper input validation in storeController.php.
CVE-2016-9026 1 Exponentcms 1 Exponent Cms 2024-02-28 7.5 HIGH 9.8 CRITICAL
Exponent CMS before 2.6.0 has improper input validation in fileController.php.
CVE-2016-8898 1 Exponentcms 1 Exponent Cms 2024-02-28 7.5 HIGH 9.8 CRITICAL
Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/ecommerce/controllers/cartController.php.
CVE-2016-8897 1 Exponentcms 1 Exponent Cms 2024-02-28 7.5 HIGH 9.8 CRITICAL
Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/help/controllers/helpController.php.
CVE-2016-8899 1 Exponentcms 1 Exponent Cms 2024-02-28 7.5 HIGH 9.8 CRITICAL
Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expCatController.php related to change_cats.
CVE-2016-8900 1 Exponentcms 1 Exponent Cms 2024-02-28 7.5 HIGH 9.8 CRITICAL
Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expTagController.php related to change_tags.
CVE-2016-7443 1 Exponentcms 1 Exponent Cms 2024-02-28 7.5 HIGH 9.8 CRITICAL
Exponent CMS 2.3.0 through 2.3.9 allows remote attackers to have unspecified impact via vectors related to "uploading files to wrong location."
CVE-2017-18213 1 Exponentcms 1 Exponent Cms 2024-02-28 6.5 MEDIUM 7.2 HIGH
In Exponent CMS before 2.4.1 Patch #6, certain admin users can elevate their privileges.
CVE-2015-1177 1 Exponentcms 1 Exponent Cms 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in Exponent CMS 2.3.2.
CVE-2016-7565 1 Exponentcms 1 Exponent Cms 2024-02-28 7.5 HIGH 9.8 CRITICAL
install/index.php in Exponent CMS 2.3.9 allows remote attackers to execute arbitrary commands via shell metacharacters in the sc array parameter.
CVE-2015-8667 1 Exponentcms 1 Exponent Cms 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in Reset Your Password module in Exponent CMS before 2.3.5 allows remote attackers to inject arbitrary web script or HTML via the Username/Email.
CVE-2016-9282 1 Exponentcms 1 Exponent Cms 2024-02-28 5.0 MEDIUM 7.5 HIGH
SQL Injection in framework/modules/search/controllers/searchController.php in Exponent CMS v2.4.0 allows remote attackers to read database information via action=search&module=search with the search_string parameter.