### [CVE-2022-23049](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23049)
![](https://img.shields.io/static/v1?label=Product&message=Exponent%20CMS&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=Stored%20cross-site%20scripting%20(XSS)&color=brighgreen)

### Description

Exponent CMS 2.6.0patch2 allows an authenticated user to inject persistent JavaScript code on the "User-Agent" header when logging in. When an administrator user visits the "User Sessions" tab, the JavaScript will be triggered allowing an attacker to compromise the administrator session.

### POC

#### Reference
- https://exponentcms.lighthouseapp.com/projects/61783/tickets/1461
- https://fluidattacks.com/advisories/cobain/

#### Github
No PoCs found on GitHub currently.