Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
expressionengine expressionengine vulnerabilities and exploits
(subscribe to this query)
7.5
CVSSv2
CVE-2021-33199
In Expression Engine prior to 6.0.3, addonIcon in Addons/file/mod.file.php relies on the untrusted input value of input->get('file') instead of the fixed file names of icon.png and icon.svg.
Expressionengine Expressionengine
6.5
CVSSv2
CVE-2020-8242
Unsanitized user input in ExpressionEngine <= 5.4.0 control panel member creation leads to an SQL injection. The user needs member creation/admin control panel access to execute the attack.
Expressionengine Expressionengine
6.5
CVSSv2
CVE-2021-27230
ExpressionEngine prior to 5.4.2 and 6.x prior to 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/user/language directory.
Expressionengine Expressionengine
6.5
CVSSv2
CVE-2020-13443
ExpressionEngine prior to 5.3.2 allows remote malicious users to upload and execute arbitrary code in a .php%20 file via Compose Msg, Add attachment, and Save As Draft actions. A user with low privileges (member) is able to upload this. It is possible to bypass the MIME type chec...
Expressionengine Expressionengine
6.5
CVSSv2
CVE-2014-5387
Multiple SQL injection vulnerabilities in EllisLab ExpressionEngine prior to 2.9.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) column_filter or (2) category[] parameter to system/index.php or the (3) tbl_sort[0][] parameter in the comment module...
Ellislab Expressionengine 2..5.4
Expressionengine Expressionengine 2.5.3
Expressionengine Expressionengine 2.5.2
Expressionengine Expressionengine 2.5.1
Expressionengine Expressionengine 2.5.0
Ellislab Expressionengine 2.0.2
Ellislab Expressionengine 2.0.1
Ellislab Expressionengine 2.0.0
Expressionengine Expressionengine 2.8.0
Expressionengine Expressionengine 2.7.3
Ellislab Expressionengine 2.7.2
Ellislab Expressionengine 2.7.1
Expressionengine Expressionengine 2.2.1
Expressionengine Expressionengine 2.2.0
Expressionengine Expressionengine 2.1.5
Expressionengine Expressionengine 2.1.4
Expressionengine Expressionengine
Ellislab Expressionengine 2.6.1
Ellislab Expressionengine 2.5.5
Ellislab Expressionengine 2.3.1
Expressionengine Expressionengine 2.2.2
Expressionengine Expressionengine 2.1.3
5
CVSSv2
CVE-2017-0897
ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution.
Expressionengine Expressionengine 3.5.1
Expressionengine Expressionengine 3.4.7
Expressionengine Expressionengine 3.4.0
Expressionengine Expressionengine 3.3.3
Expressionengine Expressionengine 3.1.3
Expressionengine Expressionengine 3.1.1
Expressionengine Expressionengine 3.0.3
Expressionengine Expressionengine 3.0.1
Expressionengine Expressionengine 2.11.2
Expressionengine Expressionengine 2.11.0
Expressionengine Expressionengine 2.9.1
Expressionengine Expressionengine 2.8.1
Expressionengine Expressionengine 2.7.0
Expressionengine Expressionengine 3.4.5
Expressionengine Expressionengine 3.4.4
Expressionengine Expressionengine 3.4.3
Expressionengine Expressionengine 3.4.2
Expressionengine Expressionengine 3.1.0
Expressionengine Expressionengine 3.0.6
Expressionengine Expressionengine 3.0.5
Expressionengine Expressionengine 3.0.4
Expressionengine Expressionengine 2.10.2
4.3
CVSSv2
CVE-2018-17874
ExpressionEngine prior to 4.3.5 has reflected XSS.
Expressionengine Expressionengine
4.3
CVSSv2
CVE-2009-1070
Cross-site scripting (XSS) vulnerability in system/index.php in ExpressionEngine 1.6.4 up to and including 1.6.6, and possibly earlier versions, allows remote malicious users to inject arbitrary web script or HTML via the avatar parameter.
Expressionengine Expressionengine 1.6.4
Expressionengine Expressionengine 1.6.5
Expressionengine Expressionengine 1.6.6
1 EDB exploit
4.3
CVSSv2
CVE-2008-0201
Cross-site scripting (XSS) vulnerability in index.php in ExpressionEngine 1.2.1 and previous versions allows remote malicious users to inject arbitrary web script or HTML via the URL parameter.
Expressionengine Expressionengine
4.3
CVSSv2
CVE-2008-0202
CRLF injection vulnerability in index.php in ExpressionEngine 1.2.1 and previous versions allows remote malicious users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the URL parameter.
Expressionengine Expressionengine
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
validation
CVE-2012-1823
malicious code
CVE-2024-5770
CVE-2023-45866
CVE-2024-35687
local users
CVE-2024-31246
CVE-2024-35730
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
NEXT »