CVE-2014-8690: XSS
First published: Thu Feb 19 2015(Updated: )
Multiple cross-site scripting (XSS) vulnerabilities in Exponent CMS before 2.1.4 patch 6, 2.2.x before 2.2.3 patch 9, and 2.3.x before 2.3.1 patch 4 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, the (2) src parameter in a none action to index.php, or the (3) "First Name" or (4) "Last Name" field to users/edituser.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ExponentCMS | <=2.1.4 | |
| ExponentCMS | =2.2.0 | |
| ExponentCMS | =2.2.1 | |
| ExponentCMS | =2.2.2 | |
| ExponentCMS | =2.2.3 | |
| ExponentCMS | =2.3.0 | |
| ExponentCMS | =2.3.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://exponentcms.lighthouseapp.com/projects/61783/tickets/1230-universal-cross-site-scripting-in-exponent-cms-231-and-prior
- http://osvdb.org/show/osvdb/118263
- http://osvdb.org/show/osvdb/118345
- http://packetstormsecurity.com/files/130382/Exponent-CMS-2.3.1-Cross-Site-Scripting.html
- http://www.exploit-db.com/exploits/36059
- http://www.exponentcms.org/news/show/title/corrected-security-patches-released-for-v2-1-4-v2-2-3-and-v2-3-0
- http://www.securitytracker.com/id/1031775
- https://exchange.xforce.ibmcloud.com/vulnerabilities/100877
Frequently Asked Questions
What is the severity of CVE-2014-8690?
CVE-2014-8690 is considered a medium severity vulnerability due to its ability to allow attackers to exploit cross-site scripting (XSS).
How do I fix CVE-2014-8690?
To fix CVE-2014-8690, update Exponent CMS to version 2.1.4 patch 6 or later, or 2.2.3 patch 9 or later, and 2.3.1 patch 4 or later.
What versions of Exponent CMS are affected by CVE-2014-8690?
CVE-2014-8690 affects Exponent CMS versions prior to 2.1.4 patch 6, all versions of 2.2.x before 2.2.3 patch 9, and all versions of 2.3.x before 2.3.1 patch 4.
What types of attacks can exploit CVE-2014-8690?
CVE-2014-8690 can be exploited through cross-site scripting (XSS) attacks, allowing attackers to inject arbitrary scripts or HTML into web pages.
Is there a workaround for CVE-2014-8690 if I cannot upgrade?
If upgrading Exponent CMS to a safe version is not possible, consider implementing input validation and output encoding techniques to mitigate the effects of CVE-2014-8690.
- agent/references
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/remedy
- agent/severity
- agent/author
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/weakness
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/exponentcms
- canonical/exponentcms
- version/exponentcms/2.1.4
- version/exponentcms/2.2.0
- version/exponentcms/2.2.1
- version/exponentcms/2.2.2
- version/exponentcms/2.2.3
- version/exponentcms/2.3.0
- version/exponentcms/2.3.1