Vulnerabilities > Exponentcms

DATE CVE VULNERABILITY TITLE RISK
2017-02-07 CVE-2016-7400 SQL Injection vulnerability in Exponentcms Exponent CMS
Multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an activate_address address controller action, (2) title parameter in a show blog controller action, or (3) content_id parameter in a showComments expComment controller action.
network
low complexity
exponentcms CWE-89
7.5
2017-02-06 CVE-2017-5879 SQL Injection vulnerability in Exponentcms Exponent CMS 2.4.1
An issue was discovered in Exponent CMS 2.4.1.
network
low complexity
exponentcms CWE-89
7.5
2017-01-23 CVE-2016-2242 Code Injection vulnerability in Exponentcms Exponent CMS
Exponent CMS 2.x before 2.3.7 Patch 3 allows remote attackers to execute arbitrary code via the sc parameter to install/index.php.
network
low complexity
exponentcms CWE-94
critical
10.0
2017-01-18 CVE-2015-8684 Cross-site Scripting vulnerability in Exponentcms Exponent CMS
Exponent CMS before 2.3.7 does not properly restrict the types of files that can be uploaded, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly have other unspecified impact as demonstrated by uploading a file with an .html extension, then accessing it via the elFinder functionality.
4.3
2017-01-18 CVE-2015-8667 Cross-site Scripting vulnerability in Exponentcms Exponent CMS
Cross-site scripting (XSS) vulnerability in Reset Your Password module in Exponent CMS before 2.3.5 allows remote attackers to inject arbitrary web script or HTML via the Username/Email.
4.3
2017-01-12 CVE-2016-7791 Improper Input Validation vulnerability in Exponentcms Exponent CMS 2.3.9
Exponent CMS 2.3.9 suffers from a remote code execution vulnerability in /install/index.php.
network
low complexity
exponentcms CWE-20
7.5
2017-01-12 CVE-2016-7790 Improper Input Validation vulnerability in Exponentcms Exponent CMS 2.3.9
Exponent CMS 2.3.9 suffers from a remote code execution vulnerability in /install/index.php.
network
low complexity
exponentcms CWE-20
7.5
2016-11-29 CVE-2016-9481 SQL Injection vulnerability in Exponentcms Exponent CMS 2.4.0
In framework/modules/core/controllers/expCommentController.php of Exponent CMS 2.4.0, content_id input is passed into showComments.
network
low complexity
exponentcms CWE-89
7.5
2016-11-15 CVE-2016-9287 SQL Injection vulnerability in Exponentcms Exponent CMS 2.4.0
In /framework/modules/notfound/controllers/notfoundController.php of Exponent CMS 2.4.0 patch1, untrusted input is passed into getSearchResults.
network
low complexity
exponentcms CWE-89
7.5
2016-11-11 CVE-2016-9288 SQL Injection vulnerability in Exponentcms Exponent CMS
In framework/modules/navigation/controllers/navigationController.php in Exponent CMS v2.4.0 or older, the parameter "target" of function "DragnDropReRank" is directly used without any filtration which caused SQL injection.
network
low complexity
exponentcms CWE-89
7.5