Web-Obfuscator

Researcher fromdbappsecurity
#5451of 53,622
49Total CVSS
Vulnerabilities · 5
Critical
5
PT-2017-9339
9.8
2017-03-07
Exponent · Exponent Cms · CVE-2016-7782
**Name of the Vulnerable Software and Affected Versions** Exponent CMS versions 2.3.9 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `src` parameter in the framework/core/models/expConfig.php file. **Recommendations** For Exponent CMS versions 2.3.9 and earlier, update to a version later than 2.3.9 to resolve the issue.
PT-2017-9343
9.8
2017-03-07
Exponent · Exponent Cms · CVE-2016-7788
**Name of the Vulnerable Software and Affected Versions** Exponent CMS versions 2.3.9 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `username` parameter in the user.php file of the Exponent CMS framework. **Recommendations** For Exponent CMS versions 2.3.9 and earlier, update to a version later than 2.3.9 to resolve the issue.
PT-2017-9929
9.8
2017-03-07
Exponent · Exponent Cms · CVE-2016-9019
**Name of the Vulnerable Software and Affected Versions** Exponent CMS versions 2.3.9 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `is what` parameter in the `activate address` function. **Recommendations** For Exponent CMS versions 2.3.9 and earlier, as a temporary workaround, consider disabling the `activate address` function until a patch is available. Restrict access to the `addressController.php` module to minimize the risk of exploitation. Avoid using the `is what` parameter in the affected API endpoint until the issue is resolved.
PT-2017-9930
9.8
2017-03-07
Exponent · Exponent Cms · CVE-2016-9020
**Name of the Vulnerable Software and Affected Versions** Exponent CMS versions 2.3.9 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `version` parameter in the `helpController.php` file, which is part of the Exponent CMS framework. **Recommendations** For Exponent CMS versions 2.3.9 and earlier, update to a version later than 2.3.9 to resolve the issue. As a temporary workaround, consider restricting access to the `helpController.php` file or avoiding the use of the `version` parameter in the affected API endpoint until a patch is available.
PT-2017-9944
9.8
2017-03-07
Exponent · Exponent Cms · CVE-2016-9087
**Name of the Vulnerable Software and Affected Versions** Exponent CMS versions 2.3.9 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `fileid` parameter in the `/framework/modules/filedownloads/controllers/filedownloadController.php` endpoint. **Recommendations** For Exponent CMS versions 2.3.9 and earlier, update to a version later than 2.3.9 to resolve the issue.