CVE-2015-8684 is a cross-site scripting weakness in Exponent CMS's file-upload handling. The issue stems from insufficient restriction on uploaded file types, allowing an attacker to upload HTML content and then reach it through the elFinder functionality, which can trigger XSS in a user's browser. NVD rates the issue 6.1/Medium, with network access, no privileges required, and user interaction required.
CVE-2015-8667 is a reflected cross-site scripting issue in Exponent CMS's Reset Your Password flow. The NVD record rates it Medium (CVSS 6.1) and shows that it affects Exponent CMS versions before 2.3.5. Because the attack is network-reachable and requires user interaction, it is best treated as a web application input-validation issue that can affect account-recovery pages and user trust.
