Exponentcms: >> Exponent Cms >> 2.6.0 Security Vulnerabilities
SQL Injection vulnerability in Exponent-CMS v.2.6.0 fixed in 2.7.0 allows attackers to gain access to sensitive information via the selectValue function in the expConfig class.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-02-17
Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site"
CVSS Score
4.8
EPSS Score
0.009
Published
2022-02-09
Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute commands.
CVSS Score
7.2
EPSS Score
0.046
Published
2022-02-09
Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session.
CVSS Score
5.4
EPSS Score
0.008
Published
2022-02-09