Shodan
Vulnerabilities
Vulnerable Software
Exponentcms:  >> Exponent Cms  >> 0.97.0  Security Vulnerabilities
CVE-2016-9288
In framework/modules/navigation/controllers/navigationController.php in Exponent CMS v2.4.0 or older, the parameter "target" of function "DragnDropReRank" is directly used without any filtration which caused SQL injection. The payload can be used like this: /navigation/DragnDropReRank/target/1.
CVSS Score
9.8
EPSS Score
0.003
Published
2016-11-11
CVE-2016-9272
A Blind SQL Injection Vulnerability in Exponent CMS through 2.4.0, with the rerank array parameter, can lead to site database information disclosure and denial of service.
CVSS Score
9.1
EPSS Score
0.003
Published
2016-11-11
CVE-2016-7453
The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to perform an fid SQL Injection.
CVSS Score
9.8
EPSS Score
0.005
Published
2016-11-03
CVE-2016-7452
The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to upload a malicious file to any folder on the site via a cpi directory traversal.
CVSS Score
7.5
EPSS Score
0.011
Published
2016-11-03
CVE-2016-7095
Exponent CMS before 2.3.9 is vulnerable to an attacker uploading a malicious script file using redirection to place the script in an unprotected folder, one allowing script execution.
CVSS Score
9.8
EPSS Score
0.013
Published
2016-11-03
CVE-2014-8690
Multiple cross-site scripting (XSS) vulnerabilities in Exponent CMS before 2.1.4 patch 6, 2.2.x before 2.2.3 patch 9, and 2.3.x before 2.3.1 patch 4 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, the (2) src parameter in a none action to index.php, or the (3) "First Name" or (4) "Last Name" field to users/edituser.
CVSS Score
4.3
EPSS Score
0.114
Published
2015-02-19
CVE-2013-3295
Directory traversal vulnerability in install/popup.php in Exponent CMS before 2.2.0 RC1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter.
CVSS Score
7.5
EPSS Score
0.006
Published
2014-12-30
CVE-2013-3294
Multiple SQL injection vulnerabilities in Exponent CMS before 2.2.0 release candidate 1 allow remote attackers to execute arbitrary SQL commands via the (1) src or (2) username parameter to index.php.
CVSS Score
7.5
EPSS Score
0.017
Published
2014-02-11
CVE-2010-5002
Cross-site scripting (XSS) vulnerability in modules/slideshowmodule/slideshow.js.php in Exponent CMS 0.97.0 allows remote attackers to inject arbitrary web script or HTML via the u parameter.
CVSS Score
4.3
EPSS Score
0.108
Published
2011-11-01


Products
Pricing
Contact Us

Shodan ® - All rights reserved