CVE-2016-7790

Name of the Vulnerable Software and Affected Versions Exponent CMS version 2.3.9

Description The issue concerns a remote code execution problem. It is possible for an attacker to upload a php file through the "uploader paste.php" script, then overwrite the "/framework/conf/config.php" file. This can lead to arbitrary code execution. The vulnerable endpoint is "/install/index.php".

Recommendations For Exponent CMS version 2.3.9, as a temporary workaround, consider disabling the "/install/index.php" endpoint and restricting access to the "uploader paste.php" script until a patch is available. Avoid using the uploader paste.php script in the affected version to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.