Exponent CMS 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk cross-site scripting、パス処理の欠陥, and vendor risk input validation に関連することが多く、vendor surface production workloads and vendor surface software deployment の文脈で vendor impact session compromise and ファイル上書き などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2021-32441 | SQL Injection vulnerability in Exponent-CMS v.2.6.0 fixed in 2.7.0 allows attackers to gain access to sensitive information via the selectValue function in the expConfig class. | [email protected] | 7.5 | 0.60% | 2023-02-17 | 2026-06-16 |
| CVE-2022-23049 | Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session. | [email protected] | 5.4 | 2.99% | 2022-02-09 | 2026-06-17 |
| CVE-2022-23048 | Exponent CMS 2.6.0patch2 allows an authenticated admin user to upload a malicious extension in the format of a ZIP file with a PHP file inside it. After upload it, the PHP file will be placed at "themes/simpletheme/{rce}.php" from where can be accessed in order to execute commands. | [email protected] | 7.2 | 2.10% | 2022-02-09 | 2026-06-17 |
| CVE-2022-23047 | Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site" | [email protected] | 4.8 | 2.89% | 2022-02-09 | 2026-06-17 |
| CVE-2021-38751 | A HTTP Host header attack exists in ExponentCMS 2.6 and below in /exponent_constants.php. A modified HTTP header can change links on the webpage to an arbitrary value, leading to a possible attack vector for MITM. | [email protected] | 4.3 | 2.47% | 2021-08-16 | 2026-06-17 |
| CVE-2016-9026 | Exponent CMS before 2.6.0 has improper input validation in fileController.php. | [email protected] | 9.8 | 1.27% | 2020-12-30 | 2026-06-16 |
| CVE-2016-9025 | Exponent CMS before 2.6.0 has improper input validation in purchaseOrderController.php. | [email protected] | 9.8 | 1.25% | 2020-12-30 | 2026-06-16 |
| CVE-2016-9023 | Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php. | [email protected] | 9.8 | 1.25% | 2020-12-30 | 2026-06-16 |
| CVE-2016-9022 | Exponent CMS before 2.6.0 has improper input validation in usersController.php. | [email protected] | 9.8 | 1.27% | 2020-12-30 | 2026-06-16 |
| CVE-2016-9021 | Exponent CMS before 2.6.0 has improper input validation in storeController.php. | [email protected] | 9.8 | 1.27% | 2020-12-30 | 2026-06-16 |
| CVE-2016-8900 | Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expTagController.php related to change_tags. | [email protected] | 9.8 | 2.11% | 2019-05-24 | 2026-06-16 |
| CVE-2016-8898 | Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/ecommerce/controllers/cartController.php. | [email protected] | 9.8 | 1.79% | 2019-05-24 | 2026-06-16 |
| CVE-2016-8899 | Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expCatController.php related to change_cats. | [email protected] | 9.8 | 2.11% | 2019-05-23 | 2026-06-16 |
| CVE-2016-8897 | Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/help/controllers/helpController.php. | [email protected] | 9.8 | 1.79% | 2019-05-23 | 2026-06-16 |
| CVE-2016-7443 | Exponent CMS 2.3.0 through 2.3.9 allows remote attackers to have unspecified impact via vectors related to "uploading files to wrong location." | [email protected] | 9.8 | 2.23% | 2018-03-06 | 2026-06-16 |
| CVE-2017-18213 | In Exponent CMS before 2.4.1 Patch #6, certain admin users can elevate their privileges. | [email protected] | 7.2 | 1.40% | 2018-03-03 | 2026-06-16 |
| CVE-2015-1177 | Cross-site scripting (XSS) vulnerability in Exponent CMS 2.3.2. | [email protected] | 6.1 | 1.47% | 2017-08-28 | 2026-06-16 |
| CVE-2017-8085 | In Exponent CMS before 2.4.1 Patch #5, XSS in elFinder is possible in framework/modules/file/connector/elfinder.php. | [email protected] | 6.1 | 1.15% | 2017-04-24 | 2026-06-16 |
| CVE-2017-7991 | Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serialized API key (apikey parameter) in the api function of framework/modules/eaas/controllers/eaasController.php. | [email protected] | 9.8 | 2.11% | 2017-04-21 | 2026-06-16 |
| CVE-2016-9087 | SQL injection vulnerability in framework/modules/filedownloads/controllers/filedownloadController.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the fileid parameter. | [email protected] | 9.8 | 2.23% | 2017-03-07 | 2026-06-16 |