Filtered by vendor Bigtreecms
Subscriptions
Filtered by product Bigtree Cms
Subscriptions
Total
44 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2017-9443 | 1 Bigtreecms | 1 Bigtree Cms | 2024-09-17 | 8.8 High |
BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. This issue exists in core\admin\modules\developer\extensions\install\process.php and core\admin\modules\developer\packages\install\process.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files. | ||||
CVE-2017-9444 | 1 Bigtreecms | 1 Bigtree Cms | 2024-09-17 | N/A |
BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the index.php/admin/developer/packages/delete/ URI (remove packages), the index.php/admin/developer/upgrade/ignore/?versions= URI, and the index.php/admin/developer/upgrade/set-ftp-directory/ URI. | ||||
CVE-2017-9379 | 1 Bigtreecms | 1 Bigtree Cms | 2024-09-17 | N/A |
Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-statistics\404\clear.php and the from or to parameter to core\admin\modules\dashboard\vitals-statistics\404\create-301.php. | ||||
CVE-2017-9442 | 1 Bigtreecms | 1 Bigtree Cms | 2024-09-17 | N/A |
BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell, related to extraction of a ZIP archive to filename patterns such as cache/package/xxx/yyy.php. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files. | ||||
CVE-2013-5313 | 1 Bigtreecms | 1 Bigtree Cms | 2024-09-17 | N/A |
Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/update.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to hijack the authentication of administrators for requests that modify arbitrary user accounts via an edit user action. | ||||
CVE-2017-6915 | 1 Bigtreecms | 1 Bigtree Cms | 2024-09-16 | N/A |
CSRF exists in BigTree CMS 4.1.18 with the colophon parameter to the admin/settings/update/ page. The Colophon can be changed. | ||||
CVE-2017-9441 | 1 Bigtreecms | 1 Bigtree Cms | 2024-09-16 | 2.7 Low |
Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the (1) title or (2) version or (3) author_name parameter in manifest.json. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files. | ||||
CVE-2017-9448 | 1 Bigtreecms | 1 Bigtree Cms | 2024-09-16 | N/A |
Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML via the description parameter. This issue exists in core\admin\ajax\pages\save-revision.php and core\admin\modules\pages\revisions.php. Low-privileged (administrator) users can attack high-privileged (Developer) users. | ||||
CVE-2017-9449 | 1 Bigtreecms | 1 Bigtree Cms | 2024-09-16 | N/A |
SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php. The attacker creates a crafted table name at admin/developer/modules/views/create/ and the injection is visible at admin/ajax/auto-modules/views/searchable-page/ or admin/modules_name. | ||||
CVE-2017-11736 | 1 Bigtreecms | 1 Bigtree Cms | 2024-09-16 | N/A |
SQL injection vulnerability in core\admin\auto-modules\forms\process.php in BigTree 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via the tags array parameter. | ||||
CVE-2018-17341 | 2 Bigtreecms, Microsoft | 2 Bigtree Cms, Windows | 2024-09-16 | N/A |
BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authentication via a ..\ substring, as demonstrated by a launch.php?bigtree_htaccess_url=admin/images/..\ URI. | ||||
CVE-2017-6917 | 1 Bigtreecms | 1 Bigtree Cms | 2024-09-16 | N/A |
CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. The Colophon can be changed. | ||||
CVE-2018-10574 | 1 Bigtreecms | 1 Bigtree Cms | 2024-09-16 | N/A |
site/index.php/admin/trees/add/ in BigTree 4.2.22 and earlier allows remote attackers to upload and execute arbitrary PHP code because the BigTreeStorage class in core/inc/bigtree/apis/storage.php does not prevent uploads of .htaccess files. | ||||
CVE-2017-9378 | 1 Bigtreecms | 1 Bigtree Cms | 2024-09-16 | N/A |
BigTree CMS through 4.2.18 does not prevent a user from deleting their own account. This could have security relevance because deletion was supposed to be an admin-only action, and the admin may have other tasks (such as data backups) to complete before a user is deleted. | ||||
CVE-2017-6918 | 1 Bigtreecms | 1 Bigtree Cms | 2024-09-16 | N/A |
CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page. The Navigation Social can be changed. | ||||
CVE-2017-6914 | 1 Bigtreecms | 1 Bigtree Cms | 2024-09-16 | N/A |
CSRF exists in BigTree CMS 4.1.18 and 4.2.16 with the id parameter to the admin/ajax/users/delete/ page. A user can be deleted. | ||||
CVE-2017-6916 | 1 Bigtreecms | 1 Bigtree Cms | 2024-09-16 | N/A |
CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to the admin/settings/update/ page. The Navigation Social can be changed. | ||||
CVE-2017-7695 | 1 Bigtreecms | 1 Bigtree Cms | 2024-09-16 | N/A |
Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they could bypass a safety check and execute any code. | ||||
CVE-2023-44954 | 1 Bigtreecms | 1 Bigtree Cms | 2024-09-05 | 5.4 Medium |
Cross Site Scripting vulnerability in BigTree CMS v.4.5.7 allows a remote attacker to execute arbitrary code via the ID parameter in the Developer Settings functions. | ||||
CVE-2013-4880 | 1 Bigtreecms | 1 Bigtree Cms | 2024-08-06 | N/A |
Cross-site scripting (XSS) vulnerability in core/admin/modules/developer/modules/views/add.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to inject arbitrary web script or HTML via the module parameter. |