PatchSiren cyber security CVE debrief
CVE-2015-8684 Exponentcms CVE debrief
CVE-2015-8684 is a cross-site scripting weakness in Exponent CMS's file-upload handling. The issue stems from insufficient restriction on uploaded file types, allowing an attacker to upload HTML content and then reach it through the elFinder functionality, which can trigger XSS in a user's browser. NVD rates the issue 6.1/Medium, with network access, no privileges required, and user interaction required.
- Vendor
- Exponentcms
- Product
- CVE-2015-8684
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-18
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-18
- Advisory updated
- 2026-05-13
Who should care
Administrators and maintainers of Exponent CMS installations, especially systems exposing file upload and file browsing features such as elFinder. Security teams should pay attention if the site accepts user-supplied files or serves uploaded content from web-accessible locations.
Technical summary
The supplied description says Exponent CMS before 2.3.7 did not properly restrict uploadable file types, enabling remote attackers to upload a file with an .html extension and then access it through elFinder to execute cross-site scripting. NVD classifies the weakness as CWE-79 and provides a CVSS v3.0 vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a remotely reachable attack that depends on user interaction and can impact confidentiality and integrity across security boundaries.
Defensive priority
Medium to High: this is a remotely reachable web XSS issue with no authentication requirement, so exposed installations should be reviewed and remediated promptly, even though user interaction is required and availability is not directly impacted.
Recommended defensive actions
- Upgrade Exponent CMS to a version that addresses the upload restriction issue.
- Restrict allowed upload types to a strict allowlist and reject active content such as HTML where it is not needed.
- Verify that uploaded files are not served in a way that permits browser execution of attacker-controlled content.
- Review elFinder and any other file management features for exposure to untrusted users.
- Audit existing uploads for suspicious HTML or other active content and remove unsafe files.
- Test for XSS mitigations such as output encoding and content-disposition controls on downloaded files.
Evidence notes
The core evidence comes from the CVE description and NVD metadata. The description states the flaw existed before 2.3.7 and demonstrates abuse via an .html upload accessed through elFinder. NVD's CPE criteria mark Exponent CMS vulnerable through 2.3.5, so the supplied sources do not fully agree on the upper affected version boundary. NVD also lists CWE-79 and the CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.
Official resources
-
CVE-2015-8684 CVE record
CVE.org
-
CVE-2015-8684 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Publicly recorded in the CVE system on 2017-01-18 and last modified in the supplied record on 2026-05-13. The issue concerns Exponent CMS file-upload XSS behavior referenced by both vendor and third-party advisories.