Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Exponentcms Subscribe
Total 60 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-32441 1 Exponentcms 1 Exponent Cms 2023-02-28 N/A 7.5 HIGH
SQL Injection vulnerability in Exponent-CMS v.2.6.0 fixed in 2.7.0 allows attackers to gain access to sensitive information via the selectValue function in the expConfig class.
CVE-2022-23049 1 Exponentcms 1 Exponent Cms 2022-02-16 3.5 LOW 5.4 MEDIUM
Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session.
CVE-2022-23048 1 Exponentcms 1 Exponent Cms 2022-02-16 6.5 MEDIUM 7.2 HIGH
Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute commands.
CVE-2022-23047 1 Exponentcms 1 Exponent Cms 2022-02-16 3.5 LOW 4.8 MEDIUM
Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site"
CVE-2021-38751 1 Exponentcms 1 Exponentcms 2021-08-23 4.3 MEDIUM 4.3 MEDIUM
A HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value, leading to a possible attack vector for MITM.
CVE-2016-9021 1 Exponentcms 1 Exponent Cms 2021-01-04 7.5 HIGH 9.8 CRITICAL
Exponent CMS before 2.6.0 has improper input validation in storeController.php.
CVE-2016-9023 1 Exponentcms 1 Exponent Cms 2021-01-04 7.5 HIGH 9.8 CRITICAL
Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php.
CVE-2016-9025 1 Exponentcms 1 Exponent Cms 2021-01-04 7.5 HIGH 9.8 CRITICAL
Exponent CMS before 2.6.0 has improper input validation in purchaseOrderController.php.
CVE-2016-9026 1 Exponentcms 1 Exponent Cms 2021-01-04 7.5 HIGH 9.8 CRITICAL
Exponent CMS before 2.6.0 has improper input validation in fileController.php.
CVE-2016-9022 1 Exponentcms 1 Exponent Cms 2021-01-04 7.5 HIGH 9.8 CRITICAL
Exponent CMS before 2.6.0 has improper input validation in usersController.php.
CVE-2017-7991 1 Exponentcms 1 Exponent Cms 2020-04-28 7.5 HIGH 9.8 CRITICAL
Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serialized API key (apikey parameter) in the api function of framework/modules/eaas/controllers/eaasController.php.
CVE-2017-18213 1 Exponentcms 1 Exponent Cms 2019-10-02 6.5 MEDIUM 7.2 HIGH
In Exponent CMS before 2.4.1 Patch #6, certain admin users can elevate their privileges.
CVE-2016-8898 1 Exponentcms 1 Exponent Cms 2019-05-28 7.5 HIGH 9.8 CRITICAL
Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/ecommerce/controllers/cartController.php.
CVE-2016-8900 1 Exponentcms 1 Exponent Cms 2019-05-28 7.5 HIGH 9.8 CRITICAL
Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expTagController.php related to change_tags.
CVE-2016-8899 1 Exponentcms 1 Exponent Cms 2019-05-24 7.5 HIGH 9.8 CRITICAL
Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expCatController.php related to change_cats.
CVE-2016-8897 1 Exponentcms 1 Exponent Cms 2019-05-24 7.5 HIGH 9.8 CRITICAL
Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/help/controllers/helpController.php.
CVE-2016-7443 1 Exponentcms 1 Exponent Cms 2019-04-25 7.5 HIGH 9.8 CRITICAL
Exponent CMS 2.3.0 through 2.3.9 allows remote attackers to have unspecified impact via vectors related to "uploading files to wrong location."
CVE-2010-5002 1 Exponentcms 1 Exponent Cms 2018-10-10 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in modules/slideshowmodule/slideshow.js.php in Exponent CMS 0.97.0 allows remote attackers to inject arbitrary web script or HTML via the u parameter.
CVE-2016-2242 1 Exponentcms 1 Exponent Cms 2018-10-09 10.0 HIGH 9.8 CRITICAL
Exponent CMS 2.x before 2.3.7 Patch 3 allows remote attackers to execute arbitrary code via the sc parameter to install/index.php.
CVE-2015-1177 1 Exponentcms 1 Exponent Cms 2018-10-09 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in Exponent CMS 2.3.2.