Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine before 2.9.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) column_filter or (2) category[] parameter to system/index.php or the (3) tbl_sort[0][] parameter in the comment module to system/index.php.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| expressionengine | expressionengine | 2.2.2 |
| ellislab | expressionengine | 2.0.1 |
| expressionengine | expressionengine | 2.6.0 |
| expressionengine | expressionengine | 2.7.0 |
| ellislab | expressionengine | 2.7.2 |
| ellislab | expressionengine | 2.5.5 |
| expressionengine | expressionengine | 2.5.3 |
| expressionengine | expressionengine | 2.2.0 |
| expressionengine | expressionengine | 2.2.1 |
| expressionengine | expressionengine | 2.3.0 |
| expressionengine | expressionengine | 2.5.2 |
| expressionengine | expressionengine | 2.1.5 |
| ellislab | expressionengine | 2.0.0 |
| expressionengine | expressionengine | 2.1.0 |
| expressionengine | expressionengine | 2.7.3 |
| expressionengine | expressionengine | 2.4.0 |
| ellislab | expressionengine | 2.8.1 |
| expressionengine | expressionengine | 2.1.4 |
| expressionengine | expressionengine | 2.5.0 |
| ellislab | expressionengine | 2.0.2 |
| ellislab | expressionengine | 2.3.1 |
| ellislab | expressionengine | 2.6.1 |
| expressionengine | expressionengine | 2.8.0 |
| ellislab | expressionengine | 2.7.1 |
| expressionengine | expressionengine | 2.1.1 |
| expressionengine | expressionengine | 2.5.1 |
| expressionengine | expressionengine | * |
| ellislab | expressionengine | 2..5.4 |
| expressionengine | expressionengine | 2.1.2 |
| expressionengine | expressionengine | 2.1.3 |
ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-330,CWE-331,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| expressionengine | expressionengine | 3.2.1 |
| expressionengine | expressionengine | 3.0.5 |
| expressionengine | expressionengine | 2.6.0 |
| expressionengine | expressionengine | 2.11.3 |
| expressionengine | expressionengine | 3.0.6 |
| expressionengine | expressionengine | 3.5.4 |
| expressionengine | expressionengine | 3.3.4 |
| expressionengine | expressionengine | 2.11.0 |
| expressionengine | expressionengine | 2.5.3 |
| expressionengine | expressionengine | 2.2.0 |
| expressionengine | expressionengine | 2.5.4 |
| expressionengine | expressionengine | 2.10.2 |
| expressionengine | expressionengine | 3.4.7 |
| expressionengine | expressionengine | 3.4.3 |
| expressionengine | expressionengine | 2.2.1 |
| expressionengine | expressionengine | 2.7.2 |
| expressionengine | expressionengine | 2.11.4 |
| expressionengine | expressionengine | 3.4.6 |
| expressionengine | expressionengine | 2.3.0 |
| expressionengine | expressionengine | 3.4.1 |
| expressionengine | expressionengine | 3.4.5 |
| expressionengine | expressionengine | 2.1.0 |
| expressionengine | expressionengine | 2.7.3 |
| expressionengine | expressionengine | 2.4.0 |
| expressionengine | expressionengine | 2.6.1 |
| expressionengine | expressionengine | 2.10.3 |
| expressionengine | expressionengine | 2.9.3 |
| expressionengine | expressionengine | 2.1.4 |
| expressionengine | expressionengine | 3.1.2 |
| expressionengine | expressionengine | 3.3.3 |
| expressionengine | expressionengine | 3.1.1 |
| expressionengine | expressionengine | 3.5.0 |
| expressionengine | expressionengine | 3.3.2 |
| expressionengine | expressionengine | 2.11.6 |
| expressionengine | expressionengine | 2.5.1 |
| expressionengine | expressionengine | 3.1.0 |
| expressionengine | expressionengine | 2.1.2 |
| expressionengine | expressionengine | 2.2.2 |
| expressionengine | expressionengine | 3.3.1 |
| expressionengine | expressionengine | 3.5.1 |
| expressionengine | expressionengine | 2.7.0 |
| expressionengine | expressionengine | 2.9.2 |
| expressionengine | expressionengine | 3.2.0 |
| expressionengine | expressionengine | 2.11.1 |
| expressionengine | expressionengine | 3.4.0 |
| expressionengine | expressionengine | 3.1.4 |
| expressionengine | expressionengine | 2.7.1 |
| expressionengine | expressionengine | 2.8.1 |
| expressionengine | expressionengine | 3.4.4 |
| expressionengine | expressionengine | 2.5.2 |
| expressionengine | expressionengine | 3.3.0 |
| expressionengine | expressionengine | 2.1.5 |
| expressionengine | expressionengine | 2.0.1 |
| expressionengine | expressionengine | 2.0.2 |
| expressionengine | expressionengine | 2.9.0 |
| expressionengine | expressionengine | 2.0.0 |
| expressionengine | expressionengine | 2.11.5 |
| expressionengine | expressionengine | 3.5.2 |
| expressionengine | expressionengine | 3.5.3 |
| expressionengine | expressionengine | 3.0.3 |
| expressionengine | expressionengine | 3.0.4 |
| expressionengine | expressionengine | 2.3.1 |
| expressionengine | expressionengine | 2.10.0 |
| expressionengine | expressionengine | 3.0.0 |
| expressionengine | expressionengine | 3.1.3 |
| expressionengine | expressionengine | 2.5.0 |
| expressionengine | expressionengine | 3.0.2 |
| expressionengine | expressionengine | 2.5.5 |
| expressionengine | expressionengine | 2.11.7 |
| expressionengine | expressionengine | 2.9.1 |
| expressionengine | expressionengine | 2.8.0 |
| expressionengine | expressionengine | 2.1.1 |
| expressionengine | expressionengine | 2.11.2 |
| expressionengine | expressionengine | 3.4.2 |
| expressionengine | expressionengine | 2.10.1 |
| expressionengine | expressionengine | 2.1.3 |
| expressionengine | expressionengine | 3.0.1 |
EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting resulting in PHP code injection
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| expressionengine | expressionengine | 3.4.2 |
ExpressionEngine before 4.3.5 has reflected XSS.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| expressionengine | expressionengine | * |
ExpressionEngine before 5.3.2 allows remote attackers to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions. A user with low privileges (member) is able to upload this. It is possible to bypass the MIME type check and file-extension check while uploading new files. Short aliases are not used for an attachment; instead, direct access is allowed to the uploaded files. It is possible to upload PHP only if one has member access, or registration/forum is enabled and one can create a member with the default group id of 5. To exploit this, one must to be able to send and compose messages (at least).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-434,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| expressionengine | expressionengine | * |
Unsanitized user input in ExpressionEngine <= 5.4.0 control panel member creation leads to an SQL injection. The user needs member creation/admin control panel access to execute the attack.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-89,CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| expressionengine | expressionengine | * |
ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/user/language directory.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| expressionengine | expressionengine | * |
In Expression Engine before 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get('file') instead of the fixed file names of icon.png and icon.svg.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| expressionengine | expressionengine | * |
In ExpressionEngine before 7.2.6, remote code execution can be achieved by an authenticated Control Panel user.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| expressionengine | expressionengine | * |
ExpressionEngine before 7.4.11 allows XSS.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| expressionengine | expressionengine | * |