Vulnerability Details CVE-2022-23049
Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.008
EPSS Ranking 73.5%
CVSS Severity
CVSS v3 Score 5.4
CVSS v2 Score 3.5
References
- https://exponentcms.lighthouseapp.com/projects/61783/tickets/1461
- https://fluidattacks.com/advisories/cobain/
- https://github.com/exponentcms/exponent-cms/issues/1546
- https://exponentcms.lighthouseapp.com/projects/61783/tickets/1461
- https://fluidattacks.com/advisories/cobain/
- https://github.com/exponentcms/exponent-cms/issues/1546
Products affected by CVE-2022-23049
-
cpe:2.3:a:exponentcms:exponent_cms:2.6.0