Filtered by vendor Exponentcms
Subscriptions
Filtered by product Exponent Cms
Subscriptions
Total
59 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2016-7782 | 1 Exponentcms | 1 Exponent Cms | 2024-08-06 | N/A |
SQL injection vulnerability in framework/core/models/expConfig.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the src parameter. | ||||
CVE-2016-7791 | 1 Exponentcms | 1 Exponent Cms | 2024-08-06 | N/A |
Exponent CMS 2.3.9 suffers from a remote code execution vulnerability in /install/index.php. An attacker can upload an evil 'exploit.tar.gz' file to the website, then extract it by visiting '/install/index.php?install_sample=../../files/exploit', which leads to arbitrary code execution. | ||||
CVE-2016-7783 | 1 Exponentcms | 1 Exponent Cms | 2024-08-06 | N/A |
SQL injection vulnerability in framework/core/models/expRecord.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the title parameter. | ||||
CVE-2016-7781 | 1 Exponentcms | 1 Exponent Cms | 2024-08-06 | N/A |
SQL injection vulnerability in framework/modules/blog/controllers/blogController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the author parameter. | ||||
CVE-2016-7780 | 1 Exponentcms | 1 Exponent Cms | 2024-08-06 | N/A |
SQL injection vulnerability in cron/find_help.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the version parameter. | ||||
CVE-2016-7565 | 1 Exponentcms | 1 Exponent Cms | 2024-08-06 | N/A |
install/index.php in Exponent CMS 2.3.9 allows remote attackers to execute arbitrary commands via shell metacharacters in the sc array parameter. | ||||
CVE-2016-7452 | 1 Exponentcms | 1 Exponent Cms | 2024-08-06 | N/A |
The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to upload a malicious file to any folder on the site via a cpi directory traversal. | ||||
CVE-2016-7453 | 1 Exponentcms | 1 Exponent Cms | 2024-08-06 | N/A |
The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to perform an fid SQL Injection. | ||||
CVE-2016-7443 | 1 Exponentcms | 1 Exponent Cms | 2024-08-06 | N/A |
Exponent CMS 2.3.0 through 2.3.9 allows remote attackers to have unspecified impact via vectors related to "uploading files to wrong location." | ||||
CVE-2016-7400 | 1 Exponentcms | 1 Exponent Cms | 2024-08-06 | N/A |
Multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an activate_address address controller action, (2) title parameter in a show blog controller action, or (3) content_id parameter in a showComments expComment controller action. | ||||
CVE-2016-7095 | 1 Exponentcms | 1 Exponent Cms | 2024-08-06 | N/A |
Exponent CMS before 2.3.9 is vulnerable to an attacker uploading a malicious script file using redirection to place the script in an unprotected folder, one allowing script execution. | ||||
CVE-2016-2242 | 1 Exponentcms | 1 Exponent Cms | 2024-08-05 | N/A |
Exponent CMS 2.x before 2.3.7 Patch 3 allows remote attackers to execute arbitrary code via the sc parameter to install/index.php. | ||||
CVE-2017-8085 | 1 Exponentcms | 1 Exponent Cms | 2024-08-05 | N/A |
In Exponent CMS before 2.4.1 Patch #5, XSS in elFinder is possible in framework/modules/file/connector/elfinder.php. | ||||
CVE-2017-7991 | 1 Exponentcms | 1 Exponent Cms | 2024-08-05 | N/A |
Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serialized API key (apikey parameter) in the api function of framework/modules/eaas/controllers/eaasController.php. | ||||
CVE-2017-5879 | 1 Exponentcms | 1 Exponent Cms | 2024-08-05 | N/A |
An issue was discovered in Exponent CMS 2.4.1. This is a blind SQL injection that can be exploited by un-authenticated users via an HTTP GET request and which can be used to dump database data out to a malicious server, using an out-of-band technique, such as select_loadfile(). The vulnerability affects source_selector.php and the following parameter: src. | ||||
CVE-2021-32441 | 1 Exponentcms | 1 Exponent Cms | 2024-08-03 | 7.5 High |
SQL Injection vulnerability in Exponent-CMS v.2.6.0 fixed in 2.7.0 allows attackers to gain access to sensitive information via the selectValue function in the expConfig class. | ||||
CVE-2022-23047 | 1 Exponentcms | 1 Exponent Cms | 2024-08-03 | 4.8 Medium |
Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site" | ||||
CVE-2022-23048 | 1 Exponentcms | 1 Exponent Cms | 2024-08-03 | 7.2 High |
Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute commands. | ||||
CVE-2022-23049 | 1 Exponentcms | 1 Exponent Cms | 2024-08-03 | 5.4 Medium |
Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session. |