Search
Total
15 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-26670 | 1 Bigtreecms | 1 Bigtree Cms | 2022-05-03 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability has been discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary commands through a crafted request sent to the server via the 'Create a New Setting' function. | |||||
| CVE-2020-26668 | 1 Bigtreecms | 1 Bigtree Cms | 2021-06-09 | 6.5 MEDIUM | 8.8 HIGH |
| A SQL injection vulnerability was discovered in /core/feeds/custom.php in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to inject a malicious SQL query to the applications via the 'Create New Feed' function. | |||||
| CVE-2018-17341 | 2 Bigtreecms, Microsoft | 2 Bigtree Cms, Windows | 2018-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authentication via a ..\ substring, as demonstrated by a launch.php?bigtree_htaccess_url=admin/images/..\ URI. | |||||
| CVE-2018-17030 | 1 Bigtreecms | 1 Bigtree Cms | 2018-11-07 | 6.0 MEDIUM | 7.5 HIGH |
| BigTree CMS 4.2.23 allows remote authenticated users, if possessing privileges to set hooks, to execute arbitrary code via /core/admin/auto-modules/forms/process.php. | |||||
| CVE-2017-11736 | 1 Bigtreecms | 1 Bigtree Cms | 2017-08-02 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in core\admin\auto-modules\forms\process.php in BigTree 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via the tags array parameter. | |||||
| CVE-2017-9444 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-12 | 6.8 MEDIUM | 8.8 HIGH |
| BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the index.php/admin/developer/packages/delete/ URI (remove packages), the index.php/admin/developer/upgrade/ignore/?versions= URI, and the index.php/admin/developer/upgrade/set-ftp-directory/ URI. | |||||
| CVE-2017-9449 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-12 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php. The attacker creates a crafted table name at admin/developer/modules/views/create/ and the injection is visible at admin/ajax/auto-modules/views/searchable-page/ or admin/modules_name. | |||||
| CVE-2017-9443 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-09 | 6.5 MEDIUM | 8.8 HIGH |
| ** DISPUTED ** BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. This issue exists in core\admin\modules\developer\extensions\install\process.php and core\admin\modules\developer\packages\install\process.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files." | |||||
| CVE-2017-9442 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-09 | 6.5 MEDIUM | 8.8 HIGH |
| ** DISPUTED ** BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell, related to extraction of a ZIP archive to filename patterns such as cache/package/xxx/yyy.php. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files." | |||||
| CVE-2017-9365 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-06 | 6.8 MEDIUM | 8.8 HIGH |
| CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/pages/revisions/1/?force=false. A page with id=1 can be unlocked. | |||||
| CVE-2017-9379 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-06 | 6.8 MEDIUM | 8.8 HIGH |
| Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-statistics\404\clear.php and the from or to parameter to core\admin\modules\dashboard\vitals-statistics\404\create-301.php. | |||||
| CVE-2017-9427 | 1 Bigtreecms | 1 Bigtree Cms | 2017-06-06 | 6.5 MEDIUM | 8.8 HIGH |
| SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core\admin\modules\developer\modules\designer\form-create.php. The attacker creates a crafted table name at admin/developer/modules/designer/ and the injection is visible at admin/dashboard/vitals-statistics/integrity/check/?external=true. | |||||
| CVE-2017-9428 | 2 Bigtreecms, Microsoft | 2 Bigtree Cms, Windows | 2017-06-06 | 5.0 MEDIUM | 7.5 HIGH |
| A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS through 4.2.18 on Windows, allowing attackers to read arbitrary files via ..\ sequences in the directory parameter. | |||||
| CVE-2017-7881 | 1 Bigtreecms | 1 Bigtree Cms | 2017-04-21 | 6.8 MEDIUM | 8.8 HIGH |
| BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header. This was found in core/admin/modules/developer/_header.php and patched in core/inc/bigtree/admin.php on 2017-04-14. | |||||
| CVE-2017-6914 | 1 Bigtreecms | 1 Bigtree Cms | 2017-03-16 | 5.8 MEDIUM | 7.1 HIGH |
| CSRF exists in BigTree CMS 4.1.18 and 4.2.16 with the id parameter to the admin/ajax/users/delete/ page. A user can be deleted. | |||||