CVE-2022-23047

Опубликовано: 09 фев. 2022

Источник: nvd

CVSS3: 4.8

CVSS2: 3.5

EPSS Низкий

Описание

Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the "Site/Organization Name","Site Title" and "Site Header" parameters while updating the site settings on "/exponentcms/administration/configure_site"

Ссылки

https://exponentcms.lighthouseapp.com/projects/61783/tickets/1459
Exploit
Issue Tracking
Vendor Advisory
https://fluidattacks.com/advisories/franklin/
Exploit
Issue Tracking
Third Party Advisory
https://github.com/exponentcms/exponent-cms/issues/1546
Exploit
Issue Tracking
Third Party Advisory
https://exponentcms.lighthouseapp.com/projects/61783/tickets/1459
Exploit
Issue Tracking
Vendor Advisory
https://fluidattacks.com/advisories/franklin/
Exploit
Issue Tracking
Third Party Advisory
https://github.com/exponentcms/exponent-cms/issues/1546
Exploit
Issue Tracking
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:exponentcms:exponent_cms:2.6.0:patch2:*:*:*:*:*:*

EPSS

Процентиль: 74%

0.00854

Низкий

4.8 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-xgxx-qjfr-x75f

github

почти 4 года назад