Persistent JavaScript Code Injection in Exponent CMS by FluidAttacks
CVE-2022-23047

4.8MEDIUM

Key Information:

Vendor

Exponentcms

Status
Exponent Cms
Vendor
CVE Published:
9 February 2022

What is CVE-2022-23047?

Exponent CMS version 2.6.0patch2 is susceptible to a persistent JavaScript code injection vulnerability. An authenticated admin user can exploit this weakness by injecting malicious scripts into the 'Site/Organization Name', 'Site Title', and 'Site Header' fields while updating site settings. This allows for unauthorized code execution within the affected site, potentially leading to further attacks or data compromise. Administrators are advised to patch their installations and review user permissions to mitigate the risk.

Affected Version(s)

Exponent CMS v2.6.0patch2

References

https://fluidattacks.com/advisories/franklin/
x_refsource_MISC
https://exponentcms.lighthouseapp.com/projects/61783/tick...
x_refsource_MISC
https://github.com/exponentcms/exponent-cms/issues/1546
x_refsource_MISC

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.