Disclose 10 * cve in Exponent CMS
[CVE-2016-7780]


> In the line 42 of cron/find_help.php , $_GET['version'] can be
> controlled and injected. It is possible to time-based blind SQL Inject
> by the param of "version".


fix: https://github.com/exponentcms/exponent-cms/commit/a8efd9ca71fc9b8b843ad0910d435d237482ee31


[CVE-2016-7781]


> In the line 387 function getUserByName of
> ./framework/modules/users/models/user.php , $name can be controlled and
> injected. It is possible to time-based blind SQL Inject by the param of
> "author".


fix: In the line 169 of framework/modules/blog/controllers/blogController.php , $this->params['author'] has been escaped.
https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db


[CVE-2016-7782]


> In the line 33 of ./framework/core/models/expConfig.php ,
> $this->location_data can be controlled and injected. It is possible to
> time-based blind SQL Inject by the param of "src".


fix:http://forums.exponentcms.org/index.php?p=/discussion/comment/1591#Comment_1591




[CVE-2016-7783]


> In the line 118 of ./framework/core/models/expRecord.php , $params can
> be controlled and injected. It is possible to boolean-based and
> time-based blind SQL Inject by the param of "title" .


fix:http://www.exponentcms.org/news/security-vulnerability-all-exponent-versions-october-2016


[CVE-2016-7784]


> This bug was found in the framework/core/subsystems/expRouter.php
> It is possible to inject SQL code in the function getSection by
> $_REQUEST['section'].


fix:https://exponentcms.lighthouseapp.com/projects/61783/changesets/1965e3719986406576898668855b8afbab43ed2c


[CVE-2016-7788]
>In Exponent CMS <=2.3.9,  In the line 74 of ./framework/modules/users/models/user.php , $username
> can be controlled and injected.It is possible to time-based blind SQL
> Inject by the param of "username".


fix: In the line 127 of file framework/modules/users/controllers/loginController.php.
https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db


[CVE-2016-7789]
>In Exponent CMS <=2.3.9,  framework/modules/eaas/controllers/eaasController.php , $key can be
> controlled. And in the line 33 of framework/core/models/expConfig.php,
> $this->location_data can be controlled and injected. It is possible to
> boolean-based blind SQL Inject by the param of apikey.


fix:http://forums.exponentcms.org/index.php?p=/discussion/comment/1591#Comment_1591


[CVE-2016-9019]
> In Exponent CMS <=2.3.9, in the function activate_address of the file
> framework/modules/addressbook/controllers/addressController.php,
> $this->params['is_what'] can be controlled and injected. It is possible
> to do time-based SQL inject by the param 'is_what'.


fix:http://forums.exponentcms.org/index.php?p=/discussion/comment/1591#Comment_1591


[CVE-2016-9020]


> In exponentcms <=2.3.9, in the line 125 of file
> framework/modules/help/controllers/helpController.php,
> $this->params['version'] can be controlled and injected. it is possible
> to SQL injection by the param of 'version'.


Fix: In the line 55 of framework/modules/help/models/help_version.php , $version has been escaped by function expString::escape.
https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db




[CVE-2016-9087]


> In exponentcms <=2.3.9, in the line 94 of file
> framework/modules/filedownloads/controllers/filedownloadController.php,
> $this->param['fileid'] can be controlled and injected. It is possible
> to SQL inject by param fileid.


Fix: In the line 94 of file framework/modules/filedownloads/controllers/filedownloadController.php
, $this->params['fileid'] has been escaped by function expString::escape.
https://github.com/exponentcms/exponent-cms/commit/fdafb5ec97838e4edbd685f587f28d3174ebb3db


Reported By web-Obfuscator in dbappsecurity