CVE-2016-9183

Name of the Vulnerable Software and Affected Versions Exponent CMS version 2.4.0

Description The issue concerns the passing of untrusted input into the selectObjectsBySql method in the orderController.php file of the Exponent CMS. This method, part of the mysqli database class, attempts to prevent SQL injection using the injectProof method. However, this filter can be easily bypassed because it only sanitizes user input if there are odd numbers of ' or " characters. The impact of this issue is Information Disclosure.

Recommendations For Exponent CMS version 2.4.0, consider disabling the selectObjectsBySql method in the orderController.php file until a proper fix is available, or ensure that all input to this method is thoroughly validated and sanitized to prevent SQL injection attacks.