High severity7.5NVD Advisory· Published Nov 4, 2016· Updated May 6, 2026

CVE-2016-9182

Description

Exponent CMS 2.4 uses PHP reflection to call a method of a controller class, and then uses the method name to check user permission. But, the method name in PHP reflection is case insensitive, and Exponent CMS permits undefined actions to execute by default, so an attacker can use a capitalized method name to bypass the permission check, e.g., controller=expHTMLEditor&action=preview&editor=ckeditor and controller=expHTMLEditor&action=Preview&editor=ckeditor. An anonymous user will be rejected for the former but can access the latter.

Affected products

Exponent/Exponent CMS
cpe:2.3:a:exponentcms:exponent_cms:2.4.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/exponentcms/exponent-cms/commit/684d79424f768db8bb345d5c68aa2a886239492bnvdIssue TrackingPatchThird Party Advisory
www.securityfocus.com/bid/94227nvdThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000