Filtered by vendor Exponentcms
Subscriptions
Filtered by product Exponent Cms
Subscriptions
Total
59 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2016-9135 | 1 Exponentcms | 1 Exponent Cms | 2025-04-12 | N/A |
| Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/framework/modules/help/controllers/helpController.php" affecting the version parameter. Impact is Information Disclosure. | ||||
| CVE-2016-9182 | 1 Exponentcms | 1 Exponent Cms | 2025-04-12 | N/A |
| Exponent CMS 2.4 uses PHP reflection to call a method of a controller class, and then uses the method name to check user permission. But, the method name in PHP reflection is case insensitive, and Exponent CMS permits undefined actions to execute by default, so an attacker can use a capitalized method name to bypass the permission check, e.g., controller=expHTMLEditor&action=preview&editor=ckeditor and controller=expHTMLEditor&action=Preview&editor=ckeditor. An anonymous user will be rejected for the former but can access the latter. | ||||
| CVE-2010-5002 | 1 Exponentcms | 1 Exponent Cms | 2025-04-11 | N/A |
| Cross-site scripting (XSS) vulnerability in modules/slideshowmodule/slideshow.js.php in Exponent CMS 0.97.0 allows remote attackers to inject arbitrary web script or HTML via the u parameter. | ||||
| CVE-2013-3294 | 1 Exponentcms | 1 Exponent Cms | 2025-04-11 | N/A |
| Multiple SQL injection vulnerabilities in Exponent CMS before 2.2.0 release candidate 1 allow remote attackers to execute arbitrary SQL commands via the (1) src or (2) username parameter to index.php. | ||||
| CVE-2021-32441 | 1 Exponentcms | 1 Exponent Cms | 2025-03-19 | 7.5 High |
| SQL Injection vulnerability in Exponent-CMS v.2.6.0 fixed in 2.7.0 allows attackers to gain access to sensitive information via the selectValue function in the expConfig class. | ||||
| CVE-2022-23049 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | 5.4 Medium |
| Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session. | ||||
| CVE-2022-23048 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | 7.2 High |
| Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute commands. | ||||
| CVE-2022-23047 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | 4.8 Medium |
| Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site" | ||||
| CVE-2017-18213 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | N/A |
| In Exponent CMS before 2.4.1 Patch #6, certain admin users can elevate their privileges. | ||||
| CVE-2016-9026 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | 9.8 Critical |
| Exponent CMS before 2.6.0 has improper input validation in fileController.php. | ||||
| CVE-2016-9025 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | 9.8 Critical |
| Exponent CMS before 2.6.0 has improper input validation in purchaseOrderController.php. | ||||
| CVE-2016-9023 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | 9.8 Critical |
| Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php. | ||||
| CVE-2016-9022 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | 9.8 Critical |
| Exponent CMS before 2.6.0 has improper input validation in usersController.php. | ||||
| CVE-2016-9021 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | 9.8 Critical |
| Exponent CMS before 2.6.0 has improper input validation in storeController.php. | ||||
| CVE-2016-8900 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | N/A |
| Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expTagController.php related to change_tags. | ||||
| CVE-2016-8899 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | N/A |
| Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expCatController.php related to change_cats. | ||||
| CVE-2016-8898 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | N/A |
| Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/ecommerce/controllers/cartController.php. | ||||
| CVE-2016-8897 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | N/A |
| Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/help/controllers/helpController.php. | ||||
| CVE-2016-7443 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | N/A |
| Exponent CMS 2.3.0 through 2.3.9 allows remote attackers to have unspecified impact via vectors related to "uploading files to wrong location." | ||||