U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. VulnerabilitiesSearch And Statistics

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:exponentcms:exponent_cms:2.4.1:-:*:*:*:*:*:*
  • CPE Name Search: true
There are 8 matching records.
Displaying matches 1 through 8.
Vuln ID Summary CVSS Severity
CVE-2016-9026

Exponent CMS before 2.6.0 has improper input validation in fileController.php.

Published: December 30, 2020; 10:15:12 PM -0500 		V4.0:(not available)
 V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2016-9025

Exponent CMS before 2.6.0 has improper input validation in purchaseOrderController.php.

Published: December 30, 2020; 10:15:12 PM -0500 		V4.0:(not available)
 V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2016-9023

Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php.

Published: December 30, 2020; 10:15:12 PM -0500 		V4.0:(not available)
 V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2016-9022

Exponent CMS before 2.6.0 has improper input validation in usersController.php.

Published: December 30, 2020; 10:15:12 PM -0500 		V4.0:(not available)
 V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2016-9021

Exponent CMS before 2.6.0 has improper input validation in storeController.php.

Published: December 30, 2020; 10:15:12 PM -0500 		V4.0:(not available)
 V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2017-18213

In Exponent CMS before 2.4.1 Patch #6, certain admin users can elevate their privileges.

Published: March 03, 2018; 9:29:02 PM -0500 		V4.0:(not available)
 V3.0: 7.2 HIGH
V2.0: 6.5 MEDIUM
CVE-2017-7991

Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serialized API key (apikey parameter) in the api function of framework/modules/eaas/controllers/eaasController.php.

Published: April 21, 2017; 9:59:02 PM -0400 		V4.0:(not available)
 V3.0: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2017-5879

An issue was discovered in Exponent CMS 2.4.1. This is a blind SQL injection that can be exploited by un-authenticated users via an HTTP GET request and which can be used to dump database data out to a malicious server, using an out-of-band technique, such as select_loadfile(). The vulnerability affects source_selector.php and the following parameter: src.

Published: February 06, 2017; 10:59:00 AM -0500 		V4.0:(not available)
 V3.0: 9.8 CRITICAL
V2.0: 7.5 HIGH