Vulnerabilities > Exponentcms > Exponent CMS > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2016-11-11 | CVE-2016-9282 | SQL Injection vulnerability in Exponentcms Exponent CMS 2.4.0 SQL Injection in framework/modules/search/controllers/searchController.php in Exponent CMS v2.4.0 allows remote attackers to read database information via action=search&module=search with the search_string parameter. | 5.0 |
| 2016-11-11 | CVE-2016-9272 | SQL Injection vulnerability in Exponentcms Exponent CMS A Blind SQL Injection Vulnerability in Exponent CMS through 2.4.0, with the rerank array parameter, can lead to site database information disclosure and denial of service. | 6.4 |
| 2016-11-07 | CVE-2016-9242 | SQL Injection vulnerability in Exponentcms Exponent CMS 2.4.0 Multiple SQL injection vulnerabilities in the update method in framework/modules/core/controllers/expRatingController.php in Exponent CMS 2.4.0 allow remote authenticated users to execute arbitrary SQL commands via the (1) content_type or (2) subtype parameter. | 6.5 |
| 2016-11-04 | CVE-2016-9184 | Information Exposure vulnerability in Exponentcms Exponent CMS 2.4.0 In /framework/modules/core/controllers/expHTMLEditorController.php of Exponent CMS 2.4.0, untrusted input is used to construct a table name, and in the selectObject method in mysqli class, table names are wrapped with a character that common filters do not filter, allowing for SQL Injection. | 5.0 |
| 2016-11-04 | CVE-2016-9183 | Information Exposure vulnerability in Exponentcms Exponent CMS 2.4.0 In /framework/modules/ecommerce/controllers/orderController.php of Exponent CMS 2.4.0, untrusted input is passed into selectObjectsBySql. | 5.0 |
| 2016-11-04 | CVE-2016-9182 | Improper Access Control vulnerability in Exponentcms Exponent CMS 2.4.0 Exponent CMS 2.4 uses PHP reflection to call a method of a controller class, and then uses the method name to check user permission. | 5.0 |
| 2016-11-03 | CVE-2016-9135 | Information Exposure vulnerability in Exponentcms Exponent CMS 2.3.9 Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/framework/modules/help/controllers/helpController.php" affecting the version parameter. | 5.0 |
| 2016-11-03 | CVE-2016-9134 | Information Exposure vulnerability in Exponentcms Exponent CMS 2.3.9 Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/expPaginator.php" affecting the order parameter. | 5.0 |
| 2016-11-03 | CVE-2016-7452 | Unrestricted Upload of File with Dangerous Type vulnerability in Exponentcms Exponent CMS The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to upload a malicious file to any folder on the site via a cpi directory traversal. | 5.0 |
| 2015-02-19 | CVE-2014-8690 | Cross-site Scripting vulnerability in Exponentcms Exponent CMS Multiple cross-site scripting (XSS) vulnerabilities in Exponent CMS before 2.1.4 patch 6, 2.2.x before 2.2.3 patch 9, and 2.3.x before 2.3.1 patch 4 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, the (2) src parameter in a none action to index.php, or the (3) "First Name" or (4) "Last Name" field to users/edituser. | 4.3 |