Vulnerability Details : CVE-2016-9182
Exponent CMS 2.4 uses PHP reflection to call a method of a controller class, and then uses the method name to check user permission. But, the method name in PHP reflection is case insensitive, and Exponent CMS permits undefined actions to execute by default, so an attacker can use a capitalized method name to bypass the permission check, e.g., controller=expHTMLEditor&action=preview&editor=ckeditor and controller=expHTMLEditor&action=Preview&editor=ckeditor. An anonymous user will be rejected for the former but can access the latter.
Vulnerability category: BypassGain privilege
Products affected by CVE-2016-9182
- cpe:2.3:a:exponentcms:exponent_cms:2.4.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-9182
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 35 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-9182
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2016-9182
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-9182
-
https://github.com/exponentcms/exponent-cms/commit/684d79424f768db8bb345d5c68aa2a886239492b
fix security vulnerability to bypass permissions using method name in… · exponentcms/exponent-cms@684d794 · GitHubIssue Tracking;Patch;Third Party Advisory
-
http://www.securityfocus.com/bid/94227
Exponent CMS SQL Injection and Security Bypass VulnerabilitiesThird Party Advisory
Jump to