Fyth

**Name of the Vulnerable Software and Affected Versions** Exponent CMS version 2.4.0 **Description** The issue concerns SQL injection vulnerabilities in the update method within the expRatingController.php file of Exponent CMS. These vulnerabilities allow remote authenticated users to execute arbitrary SQL commands by manipulating specific parameters. The vulnerable parameters are `content type` and `subtype`. **Recommendations** For Exponent CMS version 2.4.0, consider restricting access to the update method in expRatingController.php to prevent exploitation until a fix is available. As a temporary workaround, avoid using the `content type` and `subtype` parameters in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Exponent CMS version 2.4 **Description** The issue arises from the use of PHP reflection in Exponent CMS to call a method of a controller class, which is case insensitive. This, combined with the default permission to execute undefined actions, allows an attacker to bypass the permission check by using a capitalized method name. For example, an attacker can access a restricted area by using a capitalized method name, such as `controller=expHTMLEditor&action=Preview&editor=ckeditor`, whereas the same action with a lowercase method name, `controller=expHTMLEditor&action=preview&editor=ckeditor`, would be rejected for an anonymous user. **Recommendations** For Exponent CMS version 2.4, consider disabling the execution of undefined actions by default to minimize the risk of exploitation. Additionally, restrict access to sensitive controller methods to prevent unauthorized access. As a temporary workaround, consider implementing case-sensitive permission checks for controller methods until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Exponent CMS version 2.4.0 **Description** The issue allows for SQL Injection due to the use of untrusted input in constructing a table name in the expHTMLEditorController.php file. This is further exploited by the selectObject method in the mysqli class, which wraps table names with a character that common filters do not filter, leading to Information Disclosure. **Recommendations** For Exponent CMS version 2.4.0, consider restricting access to the expHTMLEditorController.php file until a patch is available, and avoid using untrusted input to construct table names. As a temporary workaround, consider validating and sanitizing all user input to prevent SQL Injection attacks.