CVE-2016-7400

Name of the Vulnerable Software and Affected Versions Exponent CMS versions prior to 2.4.0

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the id parameter in an "activate address" address controller action, the title parameter in a "show" blog controller action, or the content id parameter in a "showComments" expComment controller action.

Recommendations For versions prior to 2.4.0, update to version 2.4.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected controller actions until the update is applied. Avoid using the id, title, and content id parameters in the respective actions until the issue is resolved.