CVE-2016-9182

Name of the Vulnerable Software and Affected Versions Exponent CMS version 2.4

Description The issue arises from the use of PHP reflection in Exponent CMS to call a method of a controller class, which is case insensitive. This, combined with the default permission to execute undefined actions, allows an attacker to bypass the permission check by using a capitalized method name. For example, an attacker can access a restricted area by using a capitalized method name, such as controller=expHTMLEditor&action=Preview&editor=ckeditor, whereas the same action with a lowercase method name, controller=expHTMLEditor&action=preview&editor=ckeditor, would be rejected for an anonymous user.

Recommendations For Exponent CMS version 2.4, consider disabling the execution of undefined actions by default to minimize the risk of exploitation. Additionally, restrict access to sensitive controller methods to prevent unauthorized access. As a temporary workaround, consider implementing case-sensitive permission checks for controller methods until a patch is available.