Fyth1

**Name of the Vulnerable Software and Affected Versions** Exponent CMS version 2.4.0 **Description** The issue concerns the passing of untrusted input into the `selectObjectsBySql` method in the `orderController.php` file of the Exponent CMS. This method, part of the `mysqli database` class, attempts to prevent SQL injection using the `injectProof` method. However, this filter can be easily bypassed because it only sanitizes user input if there are odd numbers of ' or " characters. The impact of this issue is Information Disclosure. **Recommendations** For Exponent CMS version 2.4.0, consider disabling the `selectObjectsBySql` method in the `orderController.php` file until a proper fix is available, or ensure that all input to this method is thoroughly validated and sanitized to prevent SQL injection attacks.