cpe:/a:exponentcms:exponent_cms:2.4.0 CVE-2016-9286 2016-11-11T17:59:04.310-05:00 2017-07-27T21:29:08.267-04:00 5.0 NETWORK LOW NONE PARTIAL NONE NONE http://nvd.nist.gov 2016-11-29T12:20:42.423-05:00 SECTRACK 1037281 BID 94296 CONFIRM https://github.com/exponentcms/exponent-cms/commit/e38aae66c785f08f3907aa121378caf71ca5f2d7 framework/modules/users/controllers/usersController.php in Exponent CMS v2.4.0patch1 does not properly restrict access to user records, which allows remote attackers to read address information, as demonstrated by an address/show/id/1 URI.