Exponent CMS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Exponent CMS version 2.6. This vulnerability allows authenticated attackers to inject malicious scripts via the Title and Text Block parameters in the text editing endpoint. Exploitation involves embedding iframe payloads with SVG onload events to execute arbitrary JavaScript. Additionally, the application inadvertently discloses database credentials in its responses and lacks adequate protection against brute-force attacks on authentication endpoints.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, an authenticated user can navigate to the text editing endpoint and inject a script into the Title or Text Block parameters. Payloads can include iframes with embedded SVGs that exploit onload events to execute JavaScript. After saving the injection, the script will execute when the content is viewed.

Remediation

Users are advised to update to Exponent CMS version 2.7.2 or 3.0.2, both of which include patches for this vulnerability.