Exponentcms Exponent Cms — known CVE vulnerabilities
Every CVE whose affected-product data names Exponentcms Exponent Cms, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (59)
CVE-2016-7400 — CVSS 9.8 (critical): Multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) id…
CVE-2016-7791 — CVSS 9.8 (critical): Exponent CMS 2.3.9 suffers from a remote code execution vulnerability in /install/index.php. An attacker can upload an evil…
CVE-2016-8897 — CVSS 9.8 (critical): Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/help/controllers/helpController.php.
CVE-2016-8898 — CVSS 9.8 (critical): Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/ecommerce/controllers/cartController.php.
CVE-2016-8899 — CVSS 9.8 (critical): Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expCatController.php related…
CVE-2016-8900 — CVSS 9.8 (critical): Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expTagController.php related…
CVE-2016-9019 — CVSS 9.8 (critical): SQL injection vulnerability in the activate_address function in framework/modules/addressbook/controllers/addressController.php in Exponent…
CVE-2016-9020 — CVSS 9.8 (critical): SQL injection vulnerability in framework/modules/help/controllers/helpController.php in Exponent CMS 2.3.9 and earlier allows remote…
CVE-2016-9087 — CVSS 9.8 (critical): SQL injection vulnerability in framework/modules/filedownloads/controllers/filedownloadController.php in Exponent CMS 2.3.9 and earlier…
CVE-2017-7991 — CVSS 9.8 (critical): Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serialized API key (apikey parameter) in the api function of…
CVE-2017-5879 — CVSS 9.8 (critical): An issue was discovered in Exponent CMS 2.4.1. This is a blind SQL injection that can be exploited by un-authenticated users via an HTTP…
CVE-2016-9481 — CVSS 9.8 (critical): In framework/modules/core/controllers/expCommentController.php of Exponent CMS 2.4.0, content_id input is passed into showComments. The…
CVE-2016-9288 — CVSS 9.8 (critical): In framework/modules/navigation/controllers/navigationController.php in Exponent CMS v2.4.0 or older, the parameter "target" of function…
CVE-2016-2242 — CVSS 9.8 (critical): Exponent CMS 2.x before 2.3.7 Patch 3 allows remote attackers to execute arbitrary code via the sc parameter to install/index.php.
CVE-2016-7095 — CVSS 9.8 (critical): Exponent CMS before 2.3.9 is vulnerable to an attacker uploading a malicious script file using redirection to place the script in an…
CVE-2016-9287 — CVSS 9.8 (critical): In /framework/modules/notfound/controllers/notfoundController.php of Exponent CMS 2.4.0 patch1, untrusted input is passed into…
CVE-2016-7443 — CVSS 9.8 (critical): Exponent CMS 2.3.0 through 2.3.9 allows remote attackers to have unspecified impact via vectors related to "uploading files to wrong…
CVE-2016-7453 — CVSS 9.8 (critical): The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to perform an fid SQL Injection.
CVE-2016-7565 — CVSS 9.8 (critical): install/index.php in Exponent CMS 2.3.9 allows remote attackers to execute arbitrary commands via shell metacharacters in the sc array…
CVE-2016-7780 — CVSS 9.8 (critical): SQL injection vulnerability in cron/find_help.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL…
CVE-2016-7781 — CVSS 9.8 (critical): SQL injection vulnerability in framework/modules/blog/controllers/blogController.php in Exponent CMS 2.3.9 and earlier allows remote…
CVE-2016-7782 — CVSS 9.8 (critical): SQL injection vulnerability in framework/core/models/expConfig.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute…
CVE-2016-7783 — CVSS 9.8 (critical): SQL injection vulnerability in framework/core/models/expRecord.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute…
CVE-2016-7784 — CVSS 9.8 (critical): SQL injection vulnerability in the getSection function in framework/core/subsystems/expRouter.php in Exponent CMS 2.3.9 and earlier allows…
CVE-2016-7788 — CVSS 9.8 (critical): SQL injection vulnerability in framework/modules/users/models/user.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute…
CVE-2016-7789 — CVSS 9.8 (critical): SQL injection vulnerability in framework/core/models/expConfig.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute…
CVE-2016-7790 — CVSS 9.8 (critical): Exponent CMS 2.3.9 suffers from a remote code execution vulnerability in /install/index.php. An attacker can upload 'php' file to the…
CVE-2016-9272 — CVSS 9.1 (critical): A Blind SQL Injection Vulnerability in Exponent CMS through 2.4.0, with the rerank array parameter, can lead to site database information…
CVE-2016-9242 — CVSS 8.8 (high): Multiple SQL injection vulnerabilities in the update method in framework/modules/core/controllers/expRatingController.php in Exponent CMS…
CVE-2021-32441 — CVSS 7.5 (high): SQL Injection vulnerability in Exponent-CMS v.2.6.0 fixed in 2.7.0 allows attackers to gain access to sensitive information via the…
CVE-2016-9282 — CVSS 7.5 (high): SQL Injection in framework/modules/search/controllers/searchController.php in Exponent CMS v2.4.0 allows remote attackers to read database…
CVE-2016-9283 — CVSS 7.5 (high): SQL Injection in framework/core/subsystems/expRouter.php in Exponent CMS v2.4.0 allows remote attackers to read database information via…
CVE-2016-9134 — CVSS 7.5 (high): Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/expPaginator.php" affecting the order parameter. Impact is Information…
CVE-2016-9135 — CVSS 7.5 (high): Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/framework/modules/help/controllers/helpController.php" affecting the…
CVE-2016-9182 — CVSS 7.5 (high): Exponent CMS 2.4 uses PHP reflection to call a method of a controller class, and then uses the method name to check user permission. But…
CVE-2016-9183 — CVSS 7.5 (high): In /framework/modules/ecommerce/controllers/orderController.php of Exponent CMS 2.4.0, untrusted input is passed into selectObjectsBySql…
CVE-2016-7452 — CVSS 7.5 (high): The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to upload a malicious file to any folder on the site via a…
CVE-2013-3294 — CVSS 7.5 (high): Multiple SQL injection vulnerabilities in Exponent CMS before 2.2.0 release candidate 1 allow remote attackers to execute arbitrary SQL…
CVE-2016-9184 — CVSS 7.5 (high): In /framework/modules/core/controllers/expHTMLEditorController.php of Exponent CMS 2.4.0, untrusted input is used to construct a table…
CVE-2013-3295 — CVSS 7.5 (high): Directory traversal vulnerability in install/popup.php in Exponent CMS before 2.2.0 RC1 allows remote attackers to include and execute…
CVE-2022-23048 — CVSS 7.2 (high): Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file…
CVE-2017-8085 — CVSS 6.1 (medium): In Exponent CMS before 2.4.1 Patch #5, XSS in elFinder is possible in framework/modules/file/connector/elfinder.php.
CVE-2015-8684 — CVSS 6.1 (medium): Exponent CMS before 2.3.7 does not properly restrict the types of files that can be uploaded, which allows remote attackers to conduct…
CVE-2015-8667 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in Reset Your Password module in Exponent CMS before 2.3.5 allows remote attackers to inject…
CVE-2022-23049 — CVSS 5.4 (medium): Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When…
CVE-2016-9286 — CVSS 5.3 (medium): framework/modules/users/controllers/usersController.php in Exponent CMS v2.4.0patch1 does not properly restrict access to user records…
CVE-2016-9284 — CVSS 5.3 (medium): getUsersByJSON in framework/modules/users/controllers/usersController.php in Exponent CMS v2.4.0 allows remote attackers to read user…
CVE-2016-9285 — CVSS 5.3 (medium): framework/modules/addressbook/controllers/addressController.php in Exponent CMS v2.4.0 allows remote attackers to read user information via…
CVE-2022-23047 — CVSS 4.8 (medium): Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site…
CVE-2014-6635 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Exponent CMS 2.3.0 allows remote attackers to inject arbitrary web script or HTML via the src…
CVE-2010-5002 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in modules/slideshowmodule/slideshow.js.php in Exponent CMS 0.97.0 allows remote attackers to…
CVE-2014-8690 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in Exponent CMS before 2.1.4 patch 6, 2.2.x before 2.2.3 patch 9, and 2.3.x before…