PatchSiren

PatchSiren cyber security CVE debrief

CVE-2015-8667 Exponentcms CVE debrief

CVE-2015-8667 is a reflected cross-site scripting issue in Exponent CMS's Reset Your Password flow. The NVD record rates it Medium (CVSS 6.1) and shows that it affects Exponent CMS versions before 2.3.5. Because the attack is network-reachable and requires user interaction, it is best treated as a web application input-validation issue that can affect account-recovery pages and user trust.

Vendor
Exponentcms
Product
CVE-2015-8667
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-18
Original CVE updated
2026-05-13
Advisory published
2017-01-18
Advisory updated
2026-05-13

Who should care

Administrators and maintainers running Exponent CMS instances below 2.3.5, especially sites exposing the password reset module to the public web. Security teams responsible for web app hardening and incident response should also review this issue because XSS on an authentication-related page can affect users before login.

Technical summary

The vulnerability is classified as CWE-79 (cross-site scripting). According to the NVD CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, exploitation is possible over the network without privileges but does require user interaction, and successful exploitation can impact both confidentiality and integrity with scope change. The affected component is the Reset Your Password module, and the vulnerable version range ends at Exponent CMS 2.3.5, implying that upgrading to 2.3.5 or later is the intended remediation path.

Defensive priority

Medium. The issue is publicly documented, remotely reachable, and sits in an authentication-adjacent workflow, but it requires user interaction and does not indicate availability impact in the supplied CVSS vector. Prioritize it alongside other exposed web-input XSS flaws, especially if the reset page is internet-facing.

Recommended defensive actions

  • Upgrade Exponent CMS to version 2.3.5 or later.
  • Review the Reset Your Password module for reflected output handling and ensure all user-controlled fields are properly encoded before rendering.
  • Validate that any deployed reverse proxies, WAF rules, or template layers do not rely on client-side filtering as the only protection.
  • Check public password-reset pages for unexpected script or HTML injection behavior and remove any unsafe rendering paths.
  • Monitor vendor advisories and release notes tied to the 2.3.5 fix for any additional web input handling changes.

Evidence notes

Supported by the NVD record for CVE-2015-8667: description identifies cross-site scripting in the Reset Your Password module and states affected versions are before 2.3.5; the record also provides CWE-79 and the CVSS v3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Reference links in the record include the vendor advisory ticket and a third-party advisory/VDB entry. The CVE publishedAt timestamp is 2017-01-18T17:59:00.263Z and modifiedAt is 2026-05-13T00:24:29.033Z; timing context should use the published date rather than the later modification date.

Official resources

Publicly disclosed in the CVE/NVD record on 2017-01-18. The supplied record was later modified on 2026-05-13, but that modification date should not be treated as the original disclosure date.