CVE-2016-9184

Name of the Vulnerable Software and Affected Versions Exponent CMS version 2.4.0

Description The issue allows for SQL Injection due to the use of untrusted input in constructing a table name in the expHTMLEditorController.php file. This is further exploited by the selectObject method in the mysqli class, which wraps table names with a character that common filters do not filter, leading to Information Disclosure.

Recommendations For Exponent CMS version 2.4.0, consider restricting access to the expHTMLEditorController.php file until a patch is available, and avoid using untrusted input to construct table names. As a temporary workaround, consider validating and sanitizing all user input to prevent SQL Injection attacks.