CVE-2016-7452 - The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to upload a malicious

CVE-2016-7452

Summary

The Pixidou Image Editor in Exponent CMS prior to v2.3.9 patch 2 could be used to upload a malicious file to any folder on the site via a cpi directory traversal.

References

Vulnerable Configurations

cpe:2.3:a:exponentcms:exponent_cms:0.97.0:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:0.97.0:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:0.98.0:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:0.98.0:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:0.99.0:beta1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:0.99.0:beta1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.0:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.0:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.0:beta2.1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.0:beta2.1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.1:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.1:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.1:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.1:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.4:p3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.4:p3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.5:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.5:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.5:p1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.5:p1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.5:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.5:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.6:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.6:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.6:p2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.6:p2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.6:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.6:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.6:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.6:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.7:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.7:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.8:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.8:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.8:p2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.8:p2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.8:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.8:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.8:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.8:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.9:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.9:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.9:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.9:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.9:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.9:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.9:patch3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.9:patch3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.9:patch4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.9:patch4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.9:patch5:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.0.9:patch5:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.0:alpha:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.0:alpha:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.3:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.3:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.4:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.4:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.4:p11:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.4:p11:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.4:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.4:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.4:patch11:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.4:patch11:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.4:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.4:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.4:patch6:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.4:patch6:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.4:patch7:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.4:patch7:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.4:patch8:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.4:patch8:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.4:patch9:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.4:patch9:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.5:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.1.5:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:beta1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:beta1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:beta3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:beta3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:p5:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:p5:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:patch3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:patch3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:patch4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:patch4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:patch5:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:patch5:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:rc1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.0:rc1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.2:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.2:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.2:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.2:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.2:p2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.2:p2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.2:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.2:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.2:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.2:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:p14:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:p14:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch10:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch10:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch11:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch11:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch12:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch12:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch14:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch14:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch5:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch5:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch9:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.2.3:patch9:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.0:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.0:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.0:p4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.0:p4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.0:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.0:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.0:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.0:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.0:patch3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.0:patch3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.0:patch4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.0:patch4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.1:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.1:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.1:p4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.1:p4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.1:patch4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.1:patch4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.2:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.2:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.2:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.2:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.2:p2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.2:p2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.2:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.2:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.2:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.2:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.3:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.3:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.3:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.3:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.3:p1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.3:p1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.3:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.3:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.4:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.4:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.4:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.4:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.4:p1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.4:p1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.4:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.4:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.5:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.5:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.5:p2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.5:p2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.5:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.5:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.5:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.5:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.6:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.6:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.7:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.7:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.7:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.7:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.7:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.7:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.7:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.7:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.7:patch3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.7:patch3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.7:patch4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.7:patch4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.8:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.8:*:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.8:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.8:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.8:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.8:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.8:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.8:patch2:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.8:patch3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.8:patch3:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.8:patch4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.8:patch4:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.8:patch5:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.8:patch5:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.8:patch6:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.8:patch6:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.9:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.9:-:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.9:patch1:*:*:*:*:*:*
cpe:2.3:a:exponentcms:exponent_cms:2.3.9:patch1:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 27-02-2018 - 02:29)
Impact:
Exploitability:

CWE

CWE-434

CAPEC

Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:P/A:N

refmap via4

bid	93045
confirm	https://github.com/exponentcms/exponent-cms/commit/c1092f167cc6c78dc8bf9bf149946c5219413df3 https://github.com/exponentcms/exponent-cms/releases/tag/v2.4.0

Last major update

27-02-2018 - 02:29

Published

03-11-2016 - 10:59

Last modified

27-02-2018 - 02:29