| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a5d76a4.322.15825045950.Coremail.kaiyi.xu@dbappsecurity.com.cn> Date: Wed, 2 Nov 2016 20:29:51 +0800 (GMT+08:00) From: Obfuscator <kaiyi.xu@...ppsecurity.com.cn> To: fulldisclosure@...lists.org Subject: [FD] Disclose [10 * cve] in Exponent CMS Disclose 10 * cve in Exponent CMS [CVE-2016-7780] > In the line 42 of cron/find_help.php , $_GET['version'] can be > controlled and injected. It is possible to time-based blind SQL Inject > by the param of "version". fix: https://github.com/exponentcms/exponent-cms/commit/a8efd9ca71fc9b8b843ad0910d435d237482ee31 [CVE-2016-7781] > In the line 387 function getUserByName of > ./framework/modules/users/models/user.php , $name can be controlled and > injected. It is possible to time-based blind SQL Inject by the param of > "author". fix: In the line 169 of framework/modules/blog/controllers/blogController.php , $this->params['author'] has been escaped. https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db [CVE-2016-7782] > In the line 33 of ./framework/core/models/expConfig.php , > $this->location_data can be controlled and injected. It is possible to > time-based blind SQL Inject by the param of "src". fix:http://forums.exponentcms.org/index.php?p=/discussion/comment/1591#Comment_1591 [CVE-2016-7783] > In the line 118 of ./framework/core/models/expRecord.php , $params can > be controlled and injected. It is possible to boolean-based and > time-based blind SQL Inject by the param of "title" . fix:http://www.exponentcms.org/news/security-vulnerability-all-exponent-versions-october-2016 [CVE-2016-7784] > This bug was found in the framework/core/subsystems/expRouter.php > It is possible to inject SQL code in the function getSection by > $_REQUEST['section']. fix:https://exponentcms.lighthouseapp.com/projects/61783/changesets/1965e3719986406576898668855b8afbab43ed2c [CVE-2016-7788] >In Exponent CMS <=2.3.9, In the line 74 of ./framework/modules/users/models/user.php , $username > can be controlled and injected.It is possible to time-based blind SQL > Inject by the param of "username". fix: In the line 127 of file framework/modules/users/controllers/loginController.php. https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db [CVE-2016-7789] >In Exponent CMS <=2.3.9, framework/modules/eaas/controllers/eaasController.php , $key can be > controlled. And in the line 33 of framework/core/models/expConfig.php, > $this->location_data can be controlled and injected. It is possible to > boolean-based blind SQL Inject by the param of apikey. fix:http://forums.exponentcms.org/index.php?p=/discussion/comment/1591#Comment_1591 [CVE-2016-9019] > In Exponent CMS <=2.3.9, in the function activate_address of the file > framework/modules/addressbook/controllers/addressController.php, > $this->params['is_what'] can be controlled and injected. It is possible > to do time-based SQL inject by the param 'is_what'. fix:http://forums.exponentcms.org/index.php?p=/discussion/comment/1591#Comment_1591 [CVE-2016-9020] > In exponentcms <=2.3.9, in the line 125 of file > framework/modules/help/controllers/helpController.php, > $this->params['version'] can be controlled and injected. it is possible > to SQL injection by the param of 'version'. Fix: In the line 55 of framework/modules/help/models/help_version.php , $version has been escaped by function expString::escape. https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db [CVE-2016-9087] > In exponentcms <=2.3.9, in the line 94 of file > framework/modules/filedownloads/controllers/filedownloadController.php, > $this->param['fileid'] can be controlled and injected. It is possible > to SQL inject by param fileid. Fix: In the line 94 of file framework/modules/filedownloads/controllers/filedownloadController.php , $this->params['fileid'] has been escaped by function expString::escape. https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db Reported By web-Obfuscator in dbappsecurity _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists