dleffler

36 exploits Active since Nov 2016
CVE-2016-7400 WRITEUP CRITICAL WRITEUP
Exponent CMS < 2.3.9 - SQL Injection via id, title, or content_id Parameter
Multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an activate_address address controller action, (2) title parameter in a show blog controller action, or (3) content_id parameter in a showComments expComment controller action.
CVSS 9.8
CVE-2016-9134 WRITEUP HIGH WRITEUP
Exponent CMS 2.3.9 - SQL Injection in expPaginator.php Order Parameter
Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/expPaginator.php" affecting the order parameter. Impact is Information Disclosure.
CVSS 7.5
CVE-2016-7452 WRITEUP HIGH WRITEUP
Exponent CMS < 2.3.9 - Unauthenticated Arbitrary File Upload via Pixidou Image Editor
The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to upload a malicious file to any folder on the site via a cpi directory traversal.
CVSS 7.5
CVE-2016-7453 WRITEUP CRITICAL WRITEUP
Exponent CMS < 2.3.9 - SQL Injection via Pixidou Image Editor
The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to perform an fid SQL Injection.
CVSS 9.8
CVE-2016-7565 WRITEUP CRITICAL WRITEUP
Exponent CMS 2.3.9 - Remote Code Execution via sc Array Parameter
install/index.php in Exponent CMS 2.3.9 allows remote attackers to execute arbitrary commands via shell metacharacters in the sc array parameter.
CVSS 9.8
CVE-2016-7780 WRITEUP CRITICAL WRITEUP
Exponent CMS < 2.3.9 - SQL Injection via Version Parameter
SQL injection vulnerability in cron/find_help.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the version parameter.
CVSS 9.8
CVE-2016-7781 WRITEUP CRITICAL WRITEUP
Exponent CMS < 2.3.9 - SQL Injection via Blog Author Parameter
SQL injection vulnerability in framework/modules/blog/controllers/blogController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the author parameter.
CVSS 9.8
CVE-2016-7784 WRITEUP CRITICAL WRITEUP
Exponent CMS < 2.3.9 - SQL Injection via Section Parameter
SQL injection vulnerability in the getSection function in framework/core/subsystems/expRouter.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the section parameter.
CVSS 9.8
CVE-2016-7788 WRITEUP CRITICAL WRITEUP
Exponent CMS < 2.3.9 - SQL Injection via Username Parameter
SQL injection vulnerability in framework/modules/users/models/user.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.
CVSS 9.8
CVE-2016-8897 WRITEUP CRITICAL WRITEUP
Exponent CMS <2.3.9 - SQL Injection
Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/help/controllers/helpController.php.
CVSS 9.8
CVE-2016-8898 WRITEUP CRITICAL WRITEUP
Exponent CMS <2.3.9 - SQL Injection
Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/ecommerce/controllers/cartController.php.
CVSS 9.8
CVE-2016-8899 WRITEUP CRITICAL WRITEUP
Exponent CMS <2.3.9 - Code Injection
Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expCatController.php related to change_cats.
CVSS 9.8
CVE-2016-8900 WRITEUP CRITICAL WRITEUP
Exponent CMS <2.3.9 - Code Injection
Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expTagController.php related to change_tags.
CVSS 9.8
CVE-2016-9020 WRITEUP CRITICAL WRITEUP
Exponent CMS <2.3.9 - SQL Injection
SQL injection vulnerability in framework/modules/help/controllers/helpController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the version parameter.
CVSS 9.8
CVE-2016-9021 WRITEUP CRITICAL WRITEUP
Exponent CMS <2.6.0 - Info Disclosure
Exponent CMS before 2.6.0 has improper input validation in storeController.php.
CVSS 9.8
CVE-2016-9022 WRITEUP CRITICAL WRITEUP
Exponent CMS <2.6.0 - Info Disclosure
Exponent CMS before 2.6.0 has improper input validation in usersController.php.
CVSS 9.8
CVE-2016-9023 WRITEUP CRITICAL WRITEUP
Exponent CMS <2.6.0 - Info Disclosure
Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php.
CVSS 9.8
CVE-2016-9025 WRITEUP CRITICAL WRITEUP
Exponent CMS <2.6.0 - Info Disclosure
Exponent CMS before 2.6.0 has improper input validation in purchaseOrderController.php.
CVSS 9.8
CVE-2016-9026 WRITEUP CRITICAL WRITEUP
Exponent CMS <2.6.0 - Info Disclosure
Exponent CMS before 2.6.0 has improper input validation in fileController.php.
CVSS 9.8
CVE-2016-9087 WRITEUP CRITICAL WRITEUP
Exponent CMS <2.3.9 - SQL Injection
SQL injection vulnerability in framework/modules/filedownloads/controllers/filedownloadController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the fileid parameter.
CVSS 9.8
CVE-2016-9134 WRITEUP HIGH WRITEUP
Exponent CMS 2.3.9 - SQL Injection in expPaginator.php Order Parameter
Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/expPaginator.php" affecting the order parameter. Impact is Information Disclosure.
CVSS 7.5
CVE-2016-9135 WRITEUP HIGH WRITEUP
Exponent CMS 2.3.9 - SQL Injection in Help Controller Version Parameter
Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/framework/modules/help/controllers/helpController.php" affecting the version parameter. Impact is Information Disclosure.
CVSS 7.5
CVE-2016-9182 WRITEUP HIGH WRITEUP
Exponent CMS 2.4 - Improper Access Control via Case Insensitive Method Name Bypass
Exponent CMS 2.4 uses PHP reflection to call a method of a controller class, and then uses the method name to check user permission. But, the method name in PHP reflection is case insensitive, and Exponent CMS permits undefined actions to execute by default, so an attacker can use a capitalized method name to bypass the permission check, e.g., controller=expHTMLEditor&action=preview&editor=ckeditor and controller=expHTMLEditor&action=Preview&editor=ckeditor. An anonymous user will be rejected for the former but can access the latter.
CVSS 7.5
CVE-2016-9183 WRITEUP HIGH WRITEUP
Exponent CMS 2.4.0 - Info Disclosure
In /framework/modules/ecommerce/controllers/orderController.php of Exponent CMS 2.4.0, untrusted input is passed into selectObjectsBySql. The method selectObjectsBySql of class mysqli_database uses the injectProof method to prevent SQL injection, but this filter can be bypassed easily: it only sanitizes user input if there are odd numbers of ' or " characters. Impact is Information Disclosure.
CVSS 7.5
CVE-2016-9184 WRITEUP HIGH WRITEUP
Exponent CMS 2.4.0 - SQL Injection and Information Disclosure via Table Name Manipulation
In /framework/modules/core/controllers/expHTMLEditorController.php of Exponent CMS 2.4.0, untrusted input is used to construct a table name, and in the selectObject method in mysqli class, table names are wrapped with a character that common filters do not filter, allowing for SQL Injection. Impact is Information Disclosure.
CVSS 7.5