Filtered by vendor Bigtreecms
Subscriptions
Total
45 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-44954 | 1 Bigtreecms | 1 Bigtree Cms | 2024-09-05 | 5.4 Medium |
Cross Site Scripting vulnerability in BigTree CMS v.4.5.7 allows a remote attacker to execute arbitrary code via the ID parameter in the Developer Settings functions. | ||||
CVE-2017-9441 | 1 Bigtreecms | 1 Bigtree Cms | 2024-08-16 | 2.7 Low |
Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the (1) title or (2) version or (3) author_name parameter in manifest.json. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files. | ||||
CVE-2013-5313 | 1 Bigtreecms | 1 Bigtree Cms | 2024-08-06 | N/A |
Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/update.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to hijack the authentication of administrators for requests that modify arbitrary user accounts via an edit user action. | ||||
CVE-2013-4880 | 1 Bigtreecms | 1 Bigtree Cms | 2024-08-06 | N/A |
Cross-site scripting (XSS) vulnerability in core/admin/modules/developer/modules/views/add.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to inject arbitrary web script or HTML via the module parameter. | ||||
CVE-2013-4879 | 1 Bigtreecms | 1 Bigtree Cms | 2024-08-06 | N/A |
SQL injection vulnerability in core/inc/bigtree/cms.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to index.php. | ||||
CVE-2013-4881 | 1 Bigtreecms | 1 Bigtree Cms | 2024-08-06 | N/A |
Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/create.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to hijack the authentication of administrators for requests that create an administrative user via an add user action to index.php. | ||||
CVE-2016-10223 | 1 Bigtreecms | 1 Bigtree Cms | 2024-08-06 | N/A |
An issue was discovered in BigTree CMS before 4.2.15. The vulnerability exists due to insufficient filtration of user-supplied data in the "id" HTTP GET parameter passed to the "core/admin/adjax/dashboard/check-module-integrity.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | ||||
CVE-2017-16961 | 1 Bigtreecms | 1 Bigtree Cms | 2024-08-05 | N/A |
A SQL injection vulnerability in core/inc/auto-modules.php in BigTree CMS through 4.2.19 allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The attack uses an admin/trees/add/process request with a crafted _tags[] parameter that is mishandled in a later admin/ajax/dashboard/approve-change request. | ||||
CVE-2017-11736 | 1 Bigtreecms | 1 Bigtree Cms | 2024-08-05 | N/A |
SQL injection vulnerability in core\admin\auto-modules\forms\process.php in BigTree 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via the tags array parameter. | ||||
CVE-2017-9443 | 1 Bigtreecms | 1 Bigtree Cms | 2024-08-05 | 8.8 High |
BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. This issue exists in core\admin\modules\developer\extensions\install\process.php and core\admin\modules\developer\packages\install\process.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files. | ||||
CVE-2017-9442 | 1 Bigtreecms | 1 Bigtree Cms | 2024-08-05 | N/A |
BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell, related to extraction of a ZIP archive to filename patterns such as cache/package/xxx/yyy.php. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files. | ||||
CVE-2017-9546 | 1 Bigtreecms | 1 Bigtree Cms | 2024-08-05 | N/A |
admin.php in BigTree through 4.2.18 allows remote authenticated users to cause a denial of service (inability to save revisions) via XSS sequences in a revision name. | ||||
CVE-2017-9547 | 1 Bigtreecms | 1 Bigtree Cms | 2024-08-05 | N/A |
admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching an Edit Page action and entering the Navigation Title or Page Title of a page that is scheduled for future publication (aka a pending page change). | ||||
CVE-2017-9548 | 1 Bigtreecms | 1 Bigtree Cms | 2024-08-05 | N/A |
admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching a Home Template Edit Page action and entering the Navigation Title of a page that is scheduled for future publication (aka a pending page change). | ||||
CVE-2017-9448 | 1 Bigtreecms | 1 Bigtree Cms | 2024-08-05 | N/A |
Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML via the description parameter. This issue exists in core\admin\ajax\pages\save-revision.php and core\admin\modules\pages\revisions.php. Low-privileged (administrator) users can attack high-privileged (Developer) users. | ||||
CVE-2017-9449 | 1 Bigtreecms | 1 Bigtree Cms | 2024-08-05 | N/A |
SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php. The attacker creates a crafted table name at admin/developer/modules/views/create/ and the injection is visible at admin/ajax/auto-modules/views/searchable-page/ or admin/modules_name. | ||||
CVE-2017-9444 | 1 Bigtreecms | 1 Bigtree Cms | 2024-08-05 | N/A |
BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the index.php/admin/developer/packages/delete/ URI (remove packages), the index.php/admin/developer/upgrade/ignore/?versions= URI, and the index.php/admin/developer/upgrade/set-ftp-directory/ URI. | ||||
CVE-2017-9427 | 1 Bigtreecms | 1 Bigtree Cms | 2024-08-05 | N/A |
SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core\admin\modules\developer\modules\designer\form-create.php. The attacker creates a crafted table name at admin/developer/modules/designer/ and the injection is visible at admin/dashboard/vitals-statistics/integrity/check/?external=true. | ||||
CVE-2017-9428 | 2 Bigtreecms, Microsoft | 2 Bigtree Cms, Windows | 2024-08-05 | N/A |
A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS through 4.2.18 on Windows, allowing attackers to read arbitrary files via ..\ sequences in the directory parameter. | ||||
CVE-2017-9378 | 1 Bigtreecms | 1 Bigtree Cms | 2024-08-05 | N/A |
BigTree CMS through 4.2.18 does not prevent a user from deleting their own account. This could have security relevance because deletion was supposed to be an admin-only action, and the admin may have other tasks (such as data backups) to complete before a user is deleted. |