CVE-2014-8690

Exponent CMS < 2.1.4, 2.2.x < 2.2.3, 2.3.x < 2.3.1 - Cross-Site Scripting via PATH_INFO or User Profile Fields

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-8690. PoCs published by Mayuresh Dani.

AI-analyzed exploit summary This is a vulnerability disclosure writeup for CVE-2014-8690, detailing multiple XSS vulnerabilities in Exponent CMS 2.3.1. It includes examples of malicious URLs and descriptions of vulnerable fields but does not contain executable exploit code.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Exponent CMS before 2.1.4 patch 6, 2.2.x before 2.2.3 patch 9, and 2.3.x before 2.3.1 patch 4 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, the (2) src parameter in a none action to index.php, or the (3) "First Name" or (4) "Last Name" field to users/edituser.

Exploits (1)

exploitdb WRITEUP

by Mayuresh Dani · textwebappsphp

https://www.exploit-db.com/exploits/36059

View Code ZIP pw:eip

This is a vulnerability disclosure writeup for CVE-2014-8690, detailing multiple XSS vulnerabilities in Exponent CMS 2.3.1. It includes examples of malicious URLs and descriptions of vulnerable fields but does not contain executable exploit code.

Classification

Writeup 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Exponent CMS 2.3.1

No auth needed

Prerequisites: Access to the target web application

MITRE ATT&CK