Multiple Vulnerabilities in Exponent CMS
|Vendor:||Online Innovative Creations|
|Vulnerable Versions:||2.2.0 beta 3 and probably prior|
|Tested Version:||2.2.0 beta 3|
|Advisory Publication:||April 24, 2013 [without technical details]|
|Vendor Notification:||April 24, 2013|
|Vendor Fix:||May 3, 2013|
|Public Disclosure:||May 15, 2013|
|Latest Update:||May 6, 2013|
|Vulnerability Type:||SQL Injection [CWE-89]|
PHP File Inclusion [CWE-98]
|CVSSv2 Base Scores:||7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)|
|Solution Status:||Fixed by Vendor|
|Discovered and Provided:||High-Tech Bridge Security Research Lab|
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in Exponent CMS, which can be exploited to execute arbitrary SQL commands in the database of vulnerable application and execute arbitrary PHP code on the vulnerable system.
|Upgrade to Exponent CMS v2.2.0 Release Candidate 1|
| High-Tech Bridge Advisory HTB23154 - https://www.htbridge.com/advisory/HTB23154 - Multiple Vulnerabilities in Exponent CMS.|
 Exponent CMS - http://www.exponentcms.org - Exponent is a website content management system (or CMS) that allows site owners to easily create and manage dynamic websites without necessarily directly coding web pages, or managing site navigation.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.