Vulnerability Description
Exponent CMS 2.4 uses PHP reflection to call a method of a controller class, and then uses the method name to check user permission. But, the method name in PHP reflection is case insensitive, and Exponent CMS permits undefined actions to execute by default, so an attacker can use a capitalized method name to bypass the permission check, e.g., controller=expHTMLEditor&action=preview&editor=ckeditor and controller=expHTMLEditor&action=Preview&editor=ckeditor. An anonymous user will be rejected for the former but can access the latter.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Exponentcms | Exponent Cms | 2.4.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/94227Third Party Advisory
- https://github.com/exponentcms/exponent-cms/commit/684d79424f768db8bb345d5c68aa2Issue TrackingPatchThird Party Advisory
- http://www.securityfocus.com/bid/94227Third Party Advisory
- https://github.com/exponentcms/exponent-cms/commit/684d79424f768db8bb345d5c68aa2Issue TrackingPatchThird Party Advisory
FAQ
What is CVE-2016-9182?
CVE-2016-9182 is a vulnerability with a CVSS score of 7.5 (HIGH). Exponent CMS 2.4 uses PHP reflection to call a method of a controller class, and then uses the method name to check user permission. But, the method name in PHP reflection is case insensitive, and Exp...
How severe is CVE-2016-9182?
CVE-2016-9182 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-9182?
Check the references section above for vendor advisories and patch information. Affected products include: Exponentcms Exponent Cms.