Security Vulnerability - All Exponent Versions - October 2016

Saturday, October 29, 2016 Tags: release, bugs, security

There are several security vulnerabilities in all versions of Exponent 2.x found in September and October, 2016, reported by a number of individuals including:Manuel Garcia Cardenas, the PKAV TEAM, fyth, felixk3y, DM_, obfusor, xiaoL, ylgaaaaa, Tomato, wooeast, and xiojunjie, These vulnerabilities could allow possible SQL injections, remote file exploits, RCE, XSS, changes to configurations, and other issues. They have been present in all versions of Exponent (2.x). The fix is:

  • Update to the latest version (v2.4.0) which was released October 28th. This is the only version of Exponent which will receive these fixes, and it is now the only supported version of Exponent (at this time). All Exponent installations should be upgraded to v2.4.0 (or later) as soon as practical.
  • There is no manual method,