CVE-2022-23047 Information

Description

Exponent CMS 2.6.0patch2 allows an authenticated admin user to inject persistent JavaScript code inside the \Site/Organization Name\Site Title\ and \Site Header\ parameters while updating the site settings on /exponentcms/administration/configure_site\

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Reference

https://fluidattacks.com/advisories/franklin/ https://exponentcms.lighthouseapp.com/projects/61783/tickets/1459 https://github.com/exponentcms/exponent-cms/issues/1546

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

4.8