CVE-2021-38751

Name of the Vulnerable Software and Affected Versions ExponentCMS versions 2.6 and below

Description A HTTP Host header attack exists in ExponentCMS, allowing a modified HTTP header to change links on the webpage to an arbitrary value. This can lead to a possible attack vector for Man-in-the-Middle (MITM) attacks. The issue is related to a lack of output encoding or escaping mechanism in the system, which can be exploited by a remote attacker to impact the integrity of protected information by modifying the HTTP header.

Recommendations For ExponentCMS versions 2.6 and below, consider disabling access to the /exponent constants.php file until a patch is available. As a temporary workaround, restrict the modification of HTTP headers to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.