CVE-2016-9481

Name of the Vulnerable Software and Affected Versions Exponent CMS version 2.4.0

Description The issue is related to a SQL injection problem. In the expCommentController.php file, the content id input is passed into the showComments method. This method uses the $this->params['content id'] parameter directly in SQL, which can lead to SQL injection.

Recommendations For Exponent CMS version 2.4.0, consider validating and sanitizing the content id input to prevent SQL injection attacks. As a temporary workaround, restrict access to the showComments method until a patch is available.