Exponentcms

exponentcms

60 CVEs • 2 products

Products (2)

Click to collapse

Toggle

CVEs (60)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-32441 1Exponentcms 1Exponent Cms Mar 19, 2025 Feb 17, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 SQL Injection vulnerability in Exponent-CMS v.2.6.0 fixed in 2.7.0 allows attackers to gain access to sensitive information via the selectValue function in the expConfig class.
CVE-2022-23049 1Exponentcms 1Exponent Cms Nov 21, 2024 Feb 9, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be tri...Show more Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session.Show less
CVE-2022-23048 1Exponentcms 1Exponent Cms Nov 21, 2024 Feb 9, 2022 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}...Show more Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute commands.Show less
CVE-2022-23047 1Exponentcms 1Exponent Cms Nov 21, 2024 Feb 9, 2022 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponen...Show more Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site"Show less
CVE-2021-38751 1Exponentcms 1Exponentcms Nov 21, 2024 Aug 16, 2021 N/A· v4 4.3 MEDIUM· v3 4.3 MEDIUM· v2 A HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value, leading to a possible attack vector for MITM.
CVE-2016-9026 1Exponentcms 1Exponent Cms Nov 21, 2024 Dec 31, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Exponent CMS before 2.6.0 has improper input validation in fileController.php.
CVE-2016-9025 1Exponentcms 1Exponent Cms Nov 21, 2024 Dec 31, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Exponent CMS before 2.6.0 has improper input validation in purchaseOrderController.php.
CVE-2016-9023 1Exponentcms 1Exponent Cms Nov 21, 2024 Dec 31, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php.
CVE-2016-9022 1Exponentcms 1Exponent Cms Nov 21, 2024 Dec 31, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Exponent CMS before 2.6.0 has improper input validation in usersController.php.
CVE-2016-9021 1Exponentcms 1Exponent Cms Nov 21, 2024 Dec 31, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Exponent CMS before 2.6.0 has improper input validation in storeController.php.
CVE-2016-8900 1Exponentcms 1Exponent Cms Nov 21, 2024 May 24, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expTagController.php related to change_tags.
CVE-2016-8898 1Exponentcms 1Exponent Cms Nov 21, 2024 May 24, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/ecommerce/controllers/cartController.php.
CVE-2016-8899 1Exponentcms 1Exponent Cms Nov 21, 2024 May 23, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expCatController.php related to change_cats.
CVE-2016-8897 1Exponentcms 1Exponent Cms Nov 21, 2024 May 23, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/help/controllers/helpController.php.
CVE-2016-7443 1Exponentcms 1Exponent Cms Nov 21, 2024 Mar 7, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Exponent CMS 2.3.0 through 2.3.9 allows remote attackers to have unspecified impact via vectors related to "uploading files to wrong location."
CVE-2017-18213 1Exponentcms 1Exponent Cms Nov 21, 2024 Mar 4, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 In Exponent CMS before 2.4.1 Patch #6, certain admin users can elevate their privileges.
CVE-2015-1177 1Exponentcms 1Exponent Cms May 13, 2026 Aug 28, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in Exponent CMS 2.3.2.
CVE-2017-8085 1Exponentcms 1Exponent Cms May 13, 2026 Apr 24, 2017 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 In Exponent CMS before 2.4.1 Patch #5, XSS in elFinder is possible in framework/modules/file/connector/elfinder.php.
CVE-2017-7991 1Exponentcms 1Exponent Cms May 13, 2026 Apr 22, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serialized API key (apikey parameter) in the api function of framework/modules/eaas/controllers/eaasController.php.
CVE-2016-9087 1Exponentcms 1Exponent Cms May 13, 2026 Mar 7, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SQL injection vulnerability in framework/modules/filedownloads/controllers/filedownloadController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the fileid parameter.

12 3 Next