VYPR

Vendor CVEs

Exponent

All CVEs

79 total · sorted by risk
  • CVE-2022-23049Feb 9, 2022
    risk 0.00cvss epss 0.03

    Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator…

  • CVE-2022-23048Feb 9, 2022
    risk 0.00cvss epss 0.02

    Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute…

  • CVE-2022-23047Feb 9, 2022
    risk 0.00cvss epss 0.03

    Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site"

  • CVE-2016-9023Dec 31, 2020
    risk 0.00cvss epss 0.01

    Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php.

  • CVE-2016-9025Dec 31, 2020
    risk 0.00cvss epss 0.01

    Exponent CMS before 2.6.0 has improper input validation in purchaseOrderController.php.

  • CVE-2016-9022Dec 31, 2020
    risk 0.00cvss epss 0.01

    Exponent CMS before 2.6.0 has improper input validation in usersController.php.

  • CVE-2016-9021Dec 31, 2020
    risk 0.00cvss epss 0.01

    Exponent CMS before 2.6.0 has improper input validation in storeController.php.

  • CVE-2016-8898May 24, 2019
    risk 0.00cvss epss 0.02

    Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/ecommerce/controllers/cartController.php.

  • CVE-2016-8900May 24, 2019
    risk 0.00cvss epss 0.02

    Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expTagController.php related to change_tags.

  • CVE-2016-8897May 23, 2019
    risk 0.00cvss epss 0.02

    Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/help/controllers/helpController.php.

  • CVE-2016-8899May 23, 2019
    risk 0.00cvss epss 0.02

    Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expCatController.php related to change_cats.

  • CVE-2013-3295Dec 30, 2014
    risk 0.00cvss epss 0.02

    Directory traversal vulnerability in install/popup.php in Exponent CMS before 2.2.0 RC1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter.

  • CVE-2014-6635Oct 26, 2014
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in Exponent CMS 2.3.0 allows remote attackers to inject arbitrary web script or HTML via the src parameter in the search action to index.php.

  • CVE-2009-4744Mar 26, 2010
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the Contact module in Exponent CMS 0.97-GA20090213 allows remote attackers to inject arbitrary web script or HTML via the email parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third…

  • CVE-2008-1972Apr 27, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the user account creation feature in Exponent CMS 0.96.6-GA20071003 and earlier, when the Allow Registration? configuration option is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1)…

  • CVE-2007-2253Apr 25, 2007
    risk 0.00cvss epss 0.01

    Exponent CMS 0.96.6 Alpha and earlier allows remote attackers to obtain path information via a direct request for (1) sdk/blanks/formcontrol.php and (2) sdk/blanks/file_modules.php.

  • CVE-2006-1606Apr 4, 2006
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in the image module in Exponent CMS before 0.96.5 RC 1 allows "directory disclosure" with unknown attack vectors.

  • CVE-2006-1604Apr 4, 2006
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in Exponent CMS before 0.96.5 RC 1 has unknown impact and remote attack vectors related to variables that are not "typecasted."

  • CVE-2006-1607Apr 4, 2006
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in the banner module in Exponent CMS before 0.96.5 RC 1 allows "php injection" via unknown attack vectors.

  • CVE-2006-1605Apr 4, 2006
    risk 0.00cvss epss 0.03

    Unspecified vulnerability in the image module in Exponent CMS before 0.96.5 RC 1 allows remote attackers to execute arbitrary code via unknown vectors involving "parsed PHP."

  • CVE-2005-3761Nov 22, 2005
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in Exponent CMS 0.96.3 and later versions allows remote attackers to inject arbitrary web script or HTML via (1) Javascript in forms produced by the form generator or (2) the parameters to the installer.

  • CVE-2005-3765Nov 22, 2005
    risk 0.00cvss epss 0.03

    Exponent CMS 0.96.3 and later versions performs a chmod on uploaded files to give them execute permissions, which allows remote attackers to execute arbitrary code.

  • CVE-2005-3766Nov 22, 2005
    risk 0.00cvss epss 0.01

    Exponent CMS 0.96.3 and later versions stores sensitive user pages under the web document root with insufficient access control even though certain permissions are specified, which allows attackers to access the pages by browsing uploaded files.

  • CVE-2005-3764Nov 22, 2005
    risk 0.00cvss epss 0.01

    The image gallery (imagegallery) component in Exponent CMS 0.96.3 and later versions does not properly check the MIME type of uploaded files, with unknown impact from the preview icon, possibly involving injection of HTML.

  • CVE-2005-3763Nov 22, 2005
    risk 0.00cvss epss 0.01

    Exponent CMS 0.96.3 and later versions includes the full installation path in the base parameter to thumb.php, which allows remote attackers to obtain sensitive information. NOTE: this might be resultant from an absolute path traversal vulnerability.

  • CVE-2005-3767Nov 22, 2005
    risk 0.00cvss epss 0.01

    Exponent CMS 0.96.3 and later versions does not properly restrict the types of uploaded files, which allows remote attackers to upload and execute PHP files.

  • CVE-2005-3762Nov 22, 2005
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the navigation module (navigationmodule) in Exponent CMS 0.96.3 and later versions allows remote attackers to execute arbitrary SQL commands via the parent parameter.

  • CVE-2005-0310May 2, 2005
    risk 0.00cvss epss 0.02

    Exponent 0.95 allows remote attackers to obtain sensitive information via a direct HTTP request to (1) search.info.php, (2) permissions.info.php, (3) security.info.php, (4) formcontrol.php, or (5) file_modules.php, which reveals the path in an error message because the…

  • CVE-2005-0309Jan 25, 2005
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in (1) index.php or (2) mod.php in Exponent 0.95 allow remote attackers to inject arbitrary web script or HTML via the module parameter.

Page 2 of 2