CVE-2022-23049
N/A
N/A
Summary
Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | Exponent CMS | v2.6.0patch2 | affected |
Weaknesses
- Stored cross-site scripting (XSS)
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/exponentcms/exponent-cms/issues/1546
- https://fluidattacks.com/advisories/cobain/
- https://exponentcms.lighthouseapp.com/projects/61783/tickets/1461
References
- https://github.com/exponentcms/exponent-cms/issues/1546
- https://fluidattacks.com/advisories/cobain/
- https://exponentcms.lighthouseapp.com/projects/61783/tickets/1461
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.