Vulnerabilities > Exponentcms > Exponent CMS > 2.1.5

DATE CVE VULNERABILITY TITLE RISK
2017-03-07 CVE-2016-7789 SQL Injection vulnerability in Exponentcms Exponent CMS
SQL injection vulnerability in framework/core/models/expConfig.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the apikey parameter.
network
low complexity
exponentcms CWE-89
critical
 9.8
9.8
2017-03-07 CVE-2016-7788 SQL Injection vulnerability in Exponentcms Exponent CMS
SQL injection vulnerability in framework/modules/users/models/user.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.
network
low complexity
exponentcms CWE-89
critical
 9.8
9.8
2017-03-07 CVE-2016-7784 SQL Injection vulnerability in Exponentcms Exponent CMS
SQL injection vulnerability in the getSection function in framework/core/subsystems/expRouter.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the section parameter.
network
low complexity
exponentcms CWE-89
critical
 9.8
9.8
2017-03-07 CVE-2016-7783 SQL Injection vulnerability in Exponentcms Exponent CMS
SQL injection vulnerability in framework/core/models/expRecord.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the title parameter.
network
low complexity
exponentcms CWE-89
critical
 9.8
9.8
2017-03-07 CVE-2016-7782 SQL Injection vulnerability in Exponentcms Exponent CMS
SQL injection vulnerability in framework/core/models/expConfig.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the src parameter.
network
low complexity
exponentcms CWE-89
critical
 9.8
9.8
2017-03-07 CVE-2016-7781 SQL Injection vulnerability in Exponentcms Exponent CMS
SQL injection vulnerability in framework/modules/blog/controllers/blogController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the author parameter.
network
low complexity
exponentcms CWE-89
critical
 9.8
9.8
2017-03-07 CVE-2016-7780 SQL Injection vulnerability in Exponentcms Exponent CMS
SQL injection vulnerability in cron/find_help.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the version parameter.
network
low complexity
exponentcms CWE-89
critical
 9.8
9.8
2017-02-07 CVE-2016-7400 SQL Injection vulnerability in Exponentcms Exponent CMS
Multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an activate_address address controller action, (2) title parameter in a show blog controller action, or (3) content_id parameter in a showComments expComment controller action.
network
low complexity
exponentcms CWE-89
critical
 9.8
9.8
2017-01-18 CVE-2015-8684 Cross-site Scripting vulnerability in Exponentcms Exponent CMS
Exponent CMS before 2.3.7 does not properly restrict the types of files that can be uploaded, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly have other unspecified impact as demonstrated by uploading a file with an .html extension, then accessing it via the elFinder functionality.
network
low complexity
exponentcms CWE-79
6.1
6.1
2017-01-18 CVE-2015-8667 Cross-site Scripting vulnerability in Exponentcms Exponent CMS
Cross-site scripting (XSS) vulnerability in Reset Your Password module in Exponent CMS before 2.3.5 allows remote attackers to inject arbitrary web script or HTML via the Username/Email.
network
low complexity
exponentcms CWE-79
6.1
6.1