Critical severity9.8NVD Advisory· Published Apr 22, 2017· Updated May 13, 2026

CVE-2017-7991

Description

Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serialized API key (apikey parameter) in the api function of framework/modules/eaas/controllers/eaasController.php.

Affected products

Exponent/Exponent CMS
cpe:2.3:a:exponentcms:exponent_cms:*:*:*:*:*:*:*:*
Range: <=2.4.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

seclists.org/fulldisclosure/2017/Apr/78nvdExploitThird Party Advisory
gist.github.com/404notf0und/ab59234d71fbf35b4926ffd646324f29nvdExploitThird Party Advisory
packetstormsecurity.com/files/142258/Exponent-CMS-2.4.1-SQL-Injection.htmlnvdExploitThird Party AdvisoryVDB Entry
github.com/exponentcms/exponent-cms/commit/67a9c2f0229de120431f3eecb0f5017075517105nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000