High severity7.5NVD Advisory· Published Nov 4, 2016· Updated Jun 17, 2026
CVE-2016-9182
CVE-2016-9182
Description
Exponent CMS 2.4 uses PHP reflection to call a method of a controller class, and then uses the method name to check user permission. But, the method name in PHP reflection is case insensitive, and Exponent CMS permits undefined actions to execute by default, so an attacker can use a capitalized method name to bypass the permission check, e.g., controller=expHTMLEditor&action=preview&editor=ckeditor and controller=expHTMLEditor&action=Preview&editor=ckeditor. An anonymous user will be rejected for the former but can access the latter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:exponentcms:exponent_cms:2.4.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:exponentcms:exponent_cms:2.4.0:*:*:*:*:*:*:*
- (no CPE)range: <2.4
Patches
Vulnerability mechanics
References
2- github.com/exponentcms/exponent-cms/commit/684d79424f768db8bb345d5c68aa2a886239492bnvdIssue TrackingPatchThird Party Advisory
- www.securityfocus.com/bid/94227nvdThird Party Advisory
News mentions
0No linked articles in our index yet.