Vulnerabilities > Exponentcms > Exponent CMS > 2.3.9

DATE CVE VULNERABILITY TITLE RISK
2018-03-04 CVE-2017-18213 Unspecified vulnerability in Exponentcms Exponent CMS
In Exponent CMS before 2.4.1 Patch #6, certain admin users can elevate their privileges.
network
low complexity
exponentcms
7.2
7.2
2017-04-22 CVE-2017-7991 SQL Injection vulnerability in Exponentcms Exponent CMS
Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serialized API key (apikey parameter) in the api function of framework/modules/eaas/controllers/eaasController.php.
network
low complexity
exponentcms CWE-89
critical
 9.8
9.8
2017-03-07 CVE-2016-9087 SQL Injection vulnerability in Exponentcms Exponent CMS
SQL injection vulnerability in framework/modules/filedownloads/controllers/filedownloadController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the fileid parameter.
network
low complexity
exponentcms CWE-89
critical
 9.8
9.8
2017-03-07 CVE-2016-9020 SQL Injection vulnerability in Exponentcms Exponent CMS
SQL injection vulnerability in framework/modules/help/controllers/helpController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the version parameter.
network
low complexity
exponentcms CWE-89
critical
 9.8
9.8
2017-03-07 CVE-2016-9019 SQL Injection vulnerability in Exponentcms Exponent CMS
SQL injection vulnerability in the activate_address function in framework/modules/addressbook/controllers/addressController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the is_what parameter.
network
low complexity
exponentcms CWE-89
critical
 9.8
9.8
2017-03-07 CVE-2016-7789 SQL Injection vulnerability in Exponentcms Exponent CMS
SQL injection vulnerability in framework/core/models/expConfig.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the apikey parameter.
network
low complexity
exponentcms CWE-89
critical
 9.8
9.8
2017-03-07 CVE-2016-7788 SQL Injection vulnerability in Exponentcms Exponent CMS
SQL injection vulnerability in framework/modules/users/models/user.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.
network
low complexity
exponentcms CWE-89
critical
 9.8
9.8
2017-03-07 CVE-2016-7784 SQL Injection vulnerability in Exponentcms Exponent CMS
SQL injection vulnerability in the getSection function in framework/core/subsystems/expRouter.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the section parameter.
network
low complexity
exponentcms CWE-89
critical
 9.8
9.8
2017-03-07 CVE-2016-7783 SQL Injection vulnerability in Exponentcms Exponent CMS
SQL injection vulnerability in framework/core/models/expRecord.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the title parameter.
network
low complexity
exponentcms CWE-89
critical
 9.8
9.8
2017-03-07 CVE-2016-7782 SQL Injection vulnerability in Exponentcms Exponent CMS
SQL injection vulnerability in framework/core/models/expConfig.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the src parameter.
network
low complexity
exponentcms CWE-89
critical
 9.8
9.8