PT-2015-4075 · Exponent · Exponent Cms
Published
2015-02-19
·
Updated
2017-09-08
·
CVE-2014-8690
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Exponent CMS versions prior to 2.1.4 patch 6
Exponent CMS versions 2.2.x prior to 2.2.3 patch 9
Exponent CMS versions 2.3.x prior to 2.3.1 patch 4
Description
The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the PATH INFO, the
src parameter in a none action to "index.php", or the "First Name" or "Last Name" field to "users/edituser".Recommendations
For Exponent CMS versions prior to 2.1.4 patch 6, update to version 2.1.4 patch 6 or later.
For Exponent CMS versions 2.2.x prior to 2.2.3 patch 9, update to version 2.2.3 patch 9 or later.
For Exponent CMS versions 2.3.x prior to 2.3.1 patch 4, update to version 2.3.1 patch 4 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Exponent Cms