CVE-2016-7789

critical

Published 2017-03-07 · Modified 2026-05-13

CVSS v3

9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

7.5

VIR risk

9.8

Description

SQL injection vulnerability in framework/core/models/expConfig.php in Exponent CMS 2.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the apikey parameter.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://seclists.org/fulldisclosure/2016/Nov/12

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — http://packetstormsecurity.com/files/139484/Exponent-CMS-2.3.9-SQL-Injection.html

Application impact

Vendor	Product	Versions	Fixed
exponentcms	exponent_cms	`{"endIncluding":"2.3.9"}`

References

http://forums.exponentcms.org/index.php?p=/discussion/comment/1591#Comment_1591
http://packetstormsecurity.com/files/139484/Exponent-CMS-2.3.9-SQL-Injection.html
http://seclists.org/fulldisclosure/2016/Nov/12
http://www.securityfocus.com/bid/97235
http://forums.exponentcms.org/index.php?p=/discussion/comment/1591#Comment_1591
http://packetstormsecurity.com/files/139484/Exponent-CMS-2.3.9-SQL-Injection.html
http://seclists.org/fulldisclosure/2016/Nov/12
http://www.securityfocus.com/bid/97235

CWEs

CWE-89

Verify integrity in audit chain (admin only). AS-IS.