CVE-2016-7791

Name of the Vulnerable Software and Affected Versions Exponent CMS version 2.3.9

Description The issue allows for remote code execution. An attacker can upload a malicious file, exploit.tar.gz, to the website and then extract it by visiting the "/install/index.php" endpoint with a specific query parameter, install sample=../../files/exploit, leading to arbitrary code execution.

Recommendations For Exponent CMS version 2.3.9, as a temporary workaround, consider restricting access to the "/install/index.php" endpoint and avoid using the install sample parameter until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.