Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session.
Max CVSS
5.4
EPSS Score
0.06%
Published
2022-02-09
Updated
2022-02-17
Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site"
Max CVSS
4.8
EPSS Score
0.06%
Published
2022-02-09
Updated
2022-02-16
In Exponent CMS before 2.4.1 Patch #5, XSS in elFinder is possible in framework/modules/file/connector/elfinder.php.
Max CVSS
6.1
EPSS Score
0.14%
Published
2017-04-24
Updated
2017-04-29
Exponent CMS before 2.3.7 does not properly restrict the types of files that can be uploaded, which allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly have other unspecified impact as demonstrated by uploading a file with an .html extension, then accessing it via the elFinder functionality.
Max CVSS
6.1
EPSS Score
0.10%
Published
2017-01-18
Updated
2017-01-19
Cross-site scripting (XSS) vulnerability in Reset Your Password module in Exponent CMS before 2.3.5 allows remote attackers to inject arbitrary web script or HTML via the Username/Email.
Max CVSS
6.1
EPSS Score
0.10%
Published
2017-01-18
Updated
2017-01-19
Cross-site scripting (XSS) vulnerability in Exponent CMS 2.3.2.
Max CVSS
6.1
EPSS Score
0.20%
Published
2017-08-28
Updated
2018-10-09
Multiple cross-site scripting (XSS) vulnerabilities in Exponent CMS before 2.1.4 patch 6, 2.2.x before 2.2.3 patch 9, and 2.3.x before 2.3.1 patch 4 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, the (2) src parameter in a none action to index.php, or the (3) "First Name" or (4) "Last Name" field to users/edituser.
Max CVSS
4.3
EPSS Score
1.26%
Published
2015-02-19
Updated
2017-09-08
Cross-site scripting (XSS) vulnerability in Exponent CMS 2.3.0 allows remote attackers to inject arbitrary web script or HTML via the src parameter in the search action to index.php.
Max CVSS
4.3
EPSS Score
0.14%
Published
2014-10-26
Updated
2017-09-08
Cross-site scripting (XSS) vulnerability in modules/slideshowmodule/slideshow.js.php in Exponent CMS 0.97.0 allows remote attackers to inject arbitrary web script or HTML via the u parameter.
Max CVSS
4.3
EPSS Score
0.60%
Published
2011-11-01
Updated
2018-10-10
9 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!