CVE-2016-9285 Information

Description

framework/modules/addressbook/controllers/addressController.php in Exponent CMS v2.4.0 allows remote attackers to read user information via a modified id number as demonstrated by address/edit/id/1 related to an \addresses countries and regions\ issue.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Reference

http://www.securityfocus.com/bid/94296 http://www.securitytracker.com/id/1037281 https://github.com/exponentcms/exponent-cms/commit/9eeed1e82fb9e6d0d41e7dd10672df48045a9b59

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

5.3