HTTP: Exponent CMS eaasController.php api Function SQL Injection
A SQL injection vulnerability has been reported in Exponent CMS. Successful exploitation could result in the execution of arbitrary SQL commands on the target server.
Extended Description
Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serialized API key (apikey parameter) in the api function of framework/modules/eaas/controllers/eaasController.php.
Affected Products
Exponentcms exponent_cms
References
CVE: CVE-2017-7991
Short Name
HTTP:SQL:EXPONENT-CMS-INJ
Severity
Major
Recommended
True
Recommended Action
Drop
Category
HTTP
Keywords
CMS CVE-2017-7991 Exponent Function Injection SQL api eaasController.php
Release Date
05/05/2017
Supported Platforms
srx-branch-12.3
srx-branch-19.3
vsrx3bsd-19.2
vsrx3bsd-19.4
srx-branch-19.4
vsrx-19.4
srx-19.4
vsrx-12.3
srx-12.3
vsrx-19.2
srx-19.3
vmx-19.4
mx-12.3
mx-19.4
mx-19.3
vmx-19.3
Sigpack Version
3803
False Positive
Unknown
Vendors
Exponentcms
CVSS Score
7.5