CVE-2016-9242

Name of the Vulnerable Software and Affected Versions Exponent CMS version 2.4.0

Description The issue concerns SQL injection vulnerabilities in the update method within the expRatingController.php file of Exponent CMS. These vulnerabilities allow remote authenticated users to execute arbitrary SQL commands by manipulating specific parameters. The vulnerable parameters are content type and subtype.

Recommendations For Exponent CMS version 2.4.0, consider restricting access to the update method in expRatingController.php to prevent exploitation until a fix is available. As a temporary workaround, avoid using the content type and subtype parameters in the affected API endpoint until the issue is resolved.