These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2016-7565 is a critical remote code execution issue in Exponent CMS 2.3.9. According to the CVE description, attacker-controlled shell metacharacters in the sc array parameter of install/index.php can be used to execute arbitrary commands. NVD rates the issue CVSS 3.0 9.8, reflecting unauthenticated network attackability and high impact to confidentiality, integrity, and availability.
CVE-2016-7400 is a critical SQL injection issue in Exponent CMS before version 2.4.0. The weakness affects multiple request parameters across different controller actions, which means a remote attacker could influence database queries and execute arbitrary SQL commands if the vulnerable paths are exposed. Because the CVSS base score is 9.8 and the attack vector is network-based with no authentication requ [truncated]
CVE-2017-5879 is a critical unauthenticated blind SQL injection affecting Exponent CMS 2.4.1. The flaw is in source_selector.php and can be triggered with an HTTP GET request against the src parameter; NVD also notes out-of-band data exfiltration using techniques such as select_loadfile().
CVE-2016-2242 is a critical remote code execution vulnerability in Exponent CMS 2.x before 2.3.7 Patch 3. A remote attacker can execute arbitrary code through the sc parameter to install/index.php, so exposed installations should be treated as urgent remediation candidates.
CVE-2015-8684 is a cross-site scripting weakness in Exponent CMS's file-upload handling. The issue stems from insufficient restriction on uploaded file types, allowing an attacker to upload HTML content and then reach it through the elFinder functionality, which can trigger XSS in a user's browser. NVD rates the issue 6.1/Medium, with network access, no privileges required, and user interaction required.
CVE-2015-8667 is a reflected cross-site scripting issue in Exponent CMS's Reset Your Password flow. The NVD record rates it Medium (CVSS 6.1) and shows that it affects Exponent CMS versions before 2.3.5. Because the attack is network-reachable and requires user interaction, it is best treated as a web application input-validation issue that can affect account-recovery pages and user trust.