Expressionengine: >> Expressionengine >> 5.4.0 Security Vulnerabilities
ExpressionEngine before 7.4.11 allows XSS.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-06-16
In ExpressionEngine before 7.2.6, remote code execution can be achieved by an authenticated Control Panel user.
CVSS Score
8.8
EPSS Score
0.015
Published
2023-02-09
Unsanitized user input in ExpressionEngine <= 5.4.0 control panel member creation leads to an SQL injection. The user needs member creation/admin control panel access to execute the attack.
CVSS Score
7.2
EPSS Score
0.003
Published
2022-02-18
In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get('file') instead of the fixed file names of icon.png and icon.svg.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-08-12
ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/user/language directory.
CVSS Score
8.8
EPSS Score
0.03
Published
2021-03-15