Total
44 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-4881 | 1 Bigtreecms | 1 Bigtree Cms | 2017-08-29 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/create.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to hijack the authentication of administrators for requests that create an administrative user via an add user action to index.php. | |||||
| CVE-2013-4880 | 1 Bigtreecms | 1 Bigtree Cms | 2017-08-29 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in core/admin/modules/developer/modules/views/add.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to inject arbitrary web script or HTML via the module parameter. | |||||
| CVE-2013-4879 | 1 Bigtreecms | 1 Bigtree Cms | 2017-08-29 | 7.5 HIGH | N/A |
| SQL injection vulnerability in core/inc/bigtree/cms.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to index.php. | |||||
| CVE-2017-11736 | 1 Bigtreecms | 1 Bigtree Cms | 2017-08-02 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in core\admin\auto-modules\forms\process.php in BigTree 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via the tags array parameter. | |||||
| CVE-2017-9548 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-15 | 3.5 LOW | 5.4 MEDIUM |
| admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching a Home Template Edit Page action and entering the Navigation Title of a page that is scheduled for future publication (aka a pending page change). | |||||
| CVE-2017-9546 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-15 | 3.5 LOW | 5.7 MEDIUM |
| admin.php in BigTree through 4.2.18 allows remote authenticated users to cause a denial of service (inability to save revisions) via XSS sequences in a revision name. | |||||
| CVE-2017-9547 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-15 | 3.5 LOW | 5.4 MEDIUM |
| admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching an Edit Page action and entering the Navigation Title or Page Title of a page that is scheduled for future publication (aka a pending page change). | |||||
| CVE-2017-9444 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-12 | 6.8 MEDIUM | 8.8 HIGH |
| BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the index.php/admin/developer/packages/delete/ URI (remove packages), the index.php/admin/developer/upgrade/ignore/?versions= URI, and the index.php/admin/developer/upgrade/set-ftp-directory/ URI. | |||||
| CVE-2017-9448 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-12 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML via the description parameter. This issue exists in core\admin\ajax\pages\save-revision.php and core\admin\modules\pages\revisions.php. Low-privileged (administrator) users can attack high-privileged (Developer) users. | |||||
| CVE-2017-9449 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-12 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php. The attacker creates a crafted table name at admin/developer/modules/views/create/ and the injection is visible at admin/ajax/auto-modules/views/searchable-page/ or admin/modules_name. | |||||
| CVE-2017-9364 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-06 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file, they could bypass a safety check and execute any code. | |||||
| CVE-2017-9365 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-06 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/pages/revisions/1/?force=false. A page with id=1 can be unlocked. | |||||
| CVE-2017-9379 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-06 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-statistics\404\clear.php and the from or to parameter to core\admin\modules\dashboard\vitals-statistics\404\create-301.php. | |||||
| CVE-2017-9427 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-06 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core\admin\modules\developer\modules\designer\form-create.php. The attacker creates a crafted table name at admin/developer/modules/designer/ and the injection is visible at admin/dashboard/vitals-statistics/integrity/check/?external=true. | |||||
| CVE-2017-9428 | 2 Bigtreecms, Microsoft | 2 Bigtree Cms, Windows | 2017-06-06 | 5.0 MEDIUM | 7.5 HIGH |
| A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS through 4.2.18 on Windows, allowing attackers to read arbitrary files via ..\ sequences in the directory parameter. | |||||
| CVE-2017-7881 | 1 Bigtreecms | 1 Bigtree Cms | 2017-04-21 | 6.8 MEDIUM | 8.8 HIGH |
| BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header. This was found in core/admin/modules/developer/_header.php and patched in core/inc/bigtree/admin.php on 2017-04-14. | |||||
| CVE-2017-7695 | 1 Bigtreecms | 1 Bigtree Cms | 2017-04-17 | 7.5 HIGH | 9.8 CRITICAL |
| Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they could bypass a safety check and execute any code. | |||||
| CVE-2017-6914 | 1 Bigtreecms | 1 Bigtree Cms | 2017-03-16 | 5.8 MEDIUM | 7.1 HIGH |
| CSRF exists in BigTree CMS 4.1.18 and 4.2.16 with the id parameter to the admin/ajax/users/delete/ page. A user can be deleted. | |||||
| CVE-2017-6918 | 1 Bigtreecms | 1 Bigtree Cms | 2017-03-16 | 4.3 MEDIUM | 4.3 MEDIUM |
| CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page. The Navigation Social can be changed. | |||||
| CVE-2017-6915 | 1 Bigtreecms | 1 Bigtree Cms | 2017-03-16 | 4.3 MEDIUM | 4.3 MEDIUM |
| CSRF exists in BigTree CMS 4.1.18 with the colophon parameter to the admin/settings/update/ page. The Colophon can be changed. | |||||