Vulnerabilities > Expressionengine
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-09 | CVE-2023-22953 | Unspecified vulnerability in Expressionengine In ExpressionEngine before 7.2.6, remote code execution can be achieved by an authenticated Control Panel user. | 8.8 |
| 2022-02-18 | CVE-2020-8242 | SQL Injection vulnerability in Expressionengine Unsanitized user input in ExpressionEngine <= 5.4.0 control panel member creation leads to an SQL injection. | 6.5 |
| 2021-08-12 | CVE-2021-33199 | Improper Input Validation vulnerability in Expressionengine In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get('file') instead of the fixed file names of icon.png and icon.svg. | 7.5 |
| 2021-03-15 | CVE-2021-27230 | Code Injection vulnerability in Expressionengine ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/user/language directory. | 6.5 |
| 2020-06-24 | CVE-2020-13443 | Unrestricted Upload of File with Dangerous Type vulnerability in Expressionengine ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions. | 6.5 |
| 2018-10-01 | CVE-2018-17874 | Cross-site Scripting vulnerability in Expressionengine ExpressionEngine before 4.3.5 has reflected XSS. | 4.3 |
| 2017-06-22 | CVE-2017-0897 | Insufficient Entropy vulnerability in Expressionengine ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. | 5.0 |
| 2014-11-04 | CVE-2014-5387 | SQL Injection vulnerability in multiple products Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine before 2.9.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) column_filter or (2) category[] parameter to system/index.php or the (3) tbl_sort[0][] parameter in the comment module to system/index.php. | 6.5 |
| 2009-03-26 | CVE-2009-1070 | Cross-Site Scripting vulnerability in Expressionengine 1.6.4/1.6.5/1.6.6 Cross-site scripting (XSS) vulnerability in system/index.php in ExpressionEngine 1.6.4 through 1.6.6, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via the avatar parameter. | 4.3 |
| 2008-01-10 | CVE-2008-0202 | Code Injection vulnerability in Expressionengine CRLF injection vulnerability in index.php in ExpressionEngine 1.2.1 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the URL parameter. | 4.3 |