CVE-2016-9286

Name of the Vulnerable Software and Affected Versions Exponent CMS version 2.4.0patch1

Description The issue allows remote attackers to read address information due to improper access restriction to user records. This can be demonstrated by accessing the "address/show/id/1" URI.

Recommendations For Exponent CMS version 2.4.0patch1, consider restricting access to the address information by properly securing the usersController.php file in the framework/modules/users/controllers directory to prevent unauthorized reading of user records. As a temporary workaround, consider disabling the address/show/id API endpoint until a patch is available.