PT-2026-39507 · Unknown · Exponent Cms
Picaro_O
·
Published
2026-05-10
·
Updated
2026-05-10
·
CVE-2021-47931
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Exponent CMS version 2.6
Description
Authenticated attackers can perform stored cross-site scripting by injecting malicious scripts via the
Title and Text Block parameters in the text editing endpoint. This is achieved by injecting iframe payloads with embedded SVG onload events to execute arbitrary JavaScript. Additionally, the application exposes database credentials in responses and lacks brute-force protection on authentication endpoints.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Exponent Cms