SQL Injection Vulnerability in Exponent CMS by Exponent Technologies
CVE-2016-9019

9.8CRITICAL

Key Information:

Vendor

Exponentcms

Status
Exponent Cms
Vendor
CVE Published:
7 March 2017

What is CVE-2016-9019?

The SQL injection vulnerability in the activate_address function within the Exponent CMS 2.3.9 and earlier versions allows remote attackers to manipulate SQL queries. By exploiting the is_what parameter, attackers can execute arbitrary SQL commands, potentially compromising the integrity and confidentiality of the application's database. This vulnerability highlights the importance of sanitizing user inputs to mitigate risks associated with injection attacks.

References

http://packetstormsecurity.com/files/139484/Exponent-CMS-...
x_refsource_MISC
http://seclists.org/fulldisclosure/2016/Nov/12
mailing-listx_refsource_FULLDISC
http://www.securityfocus.com/bid/97240
vdb-entryx_refsource_BID

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.