cbcvebase.

Bigtreecms Bigtree Cms vulnerabilities

44 known vulnerabilities affecting bigtreecms/bigtree_cms.

Total CVEs
44
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH16MEDIUM24LOW1

Vulnerabilities

Page 1 of 3
CVE-2013-4879P3HIGHCVSS 7.5PoC≤ 4.0v4.02013-08-14
CVE-2013-4879 [HIGH] CWE-89 CVE-2013-4879: SQL injection vulnerability in core/inc/bigtree/cms.php in BigTree CMS 4.0 RC2 and earlier allows re SQL injection vulnerability in core/inc/bigtree/cms.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to index.php.
nvd
CVE-2018-18308P3MEDIUMCVSS 6.1PoCv4.2.232018-10-16
CVE-2018-18308 [MEDIUM] CWE-79 CVE-2018-18308: In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area).
nvd
CVE-2020-26670P3HIGHCVSS 8.8≤ 4.4.102021-06-01
CVE-2020-26670 [HIGH] CWE-78 CVE-2020-26670: A vulnerability has been discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated A vulnerability has been discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary commands through a crafted request sent to the server via the 'Create a New Setting' function.
nvd
CVE-2018-10574P3CRITICALCVSS 9.8≤ 4.2.222018-04-30
CVE-2018-10574 [CRITICAL] CWE-94 CVE-2018-10574: site/index.php/admin/trees/add/ in BigTree 4.2.22 and earlier allows remote attackers to upload and site/index.php/admin/trees/add/ in BigTree 4.2.22 and earlier allows remote attackers to upload and execute arbitrary PHP code because the BigTreeStorage class in core/inc/bigtree/apis/storage.php does not prevent uploads of .htaccess files.
nvd
CVE-2013-4881P4MEDIUMCVSS 6.8PoC≤ 4.0v4.02013-08-19
CVE-2013-4881 [MEDIUM] CWE-352 CVE-2013-4881: Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/create.php in BigTree CM Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/create.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to hijack the authentication of administrators for requests that create an administrative user via an add user action to index.php.
nvd
CVE-2017-7695P3CRITICALCVSS 9.8≤ 4.2.162017-04-11
CVE-2017-7695 [CRITICAL] CWE-434 CVE-2017-7695: Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[spa Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they could bypass a safety check and execute any code.
nvd
CVE-2017-9364P3CRITICALCVSS 9.8≤ 4.2.182017-06-02
CVE-2017-9364 [CRITICAL] CWE-434 CVE-2017-9364: Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' o Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file, they could bypass a safety check and execute any code.
nvd
CVE-2017-9427P3HIGHCVSS 8.8≤ 4.2.182017-06-04
CVE-2017-9427 [HIGH] CWE-89 CVE-2017-9427: SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execu SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core\admin\modules\developer\modules\designer\form-create.php. The attacker creates a crafted table name at admin/developer/modules/designer/ and the injection is visible at admin/dashboard/vitals-statistics/integrity/check/?e
nvd
CVE-2017-9442P3HIGHCVSS 8.8≤ 4.2.182017-06-05
CVE-2017-9442 [HIGH] CWE-94 CVE-2017-9442: BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell, related to extraction of a ZIP archive to filename patterns such as cache/package/xxx/yyy.php. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\pac
nvd
CVE-2020-26668P3HIGHCVSS 8.8≤ 4.4.102021-06-01
CVE-2020-26668 [HIGH] CWE-89 CVE-2020-26668: A SQL injection vulnerability was discovered in /core/feeds/custom.php in BigTree CMS 4.4.10 and ear A SQL injection vulnerability was discovered in /core/feeds/custom.php in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to inject a malicious SQL query to the applications via the 'Create New Feed' function.
nvd
CVE-2017-9449P3HIGHCVSS 8.8≤ 4.2.182017-06-06
CVE-2017-9449 [HIGH] CWE-89 CVE-2017-9449: SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execu SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php. The attacker creates a crafted table name at admin/developer/modules/views/create/ and the injection is visible at admin/ajax/auto-modules/views/searchable-page/ or admin/
nvd
CVE-2017-11736P3HIGHCVSS 8.8v4.2.182017-07-29
CVE-2017-11736 [HIGH] CWE-89 CVE-2017-11736: SQL injection vulnerability in core\admin\auto-modules\forms\process.php in BigTree 4.2.18 allows re SQL injection vulnerability in core\admin\auto-modules\forms\process.php in BigTree 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via the tags array parameter.
nvd
CVE-2018-17341P3HIGHCVSS 8.1v4.2.232018-09-23
CVE-2018-17341 [HIGH] CWE-287 CVE-2018-17341: BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attacke BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authentication via a ..\ substring, as demonstrated by a launch.php?bigtree_htaccess_url=admin/images/..\ URI.
nvd
CVE-2018-17030P3HIGHCVSS 7.5v4.2.232018-09-14
CVE-2018-17030 [HIGH] CWE-94 CVE-2018-17030: BigTree CMS 4.2.23 allows remote authenticated users, if possessing privileges to set hooks, to exec BigTree CMS 4.2.23 allows remote authenticated users, if possessing privileges to set hooks, to execute arbitrary code via /core/admin/auto-modules/forms/process.php.
nvd
CVE-2017-9443P3HIGHCVSS 8.8≤ 4.2.182017-06-05
CVE-2017-9443 [HIGH] CWE-89 CVE-2017-9443: BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. This issue exists in core\admin\modules\developer\extensions\install\process.php and core\admin\modules\developer\packages\install\process.php. NOTE: the vendor states "You must implicitly trust
nvd
CVE-2013-4880P4MEDIUMCVSS 4.3PoC≤ 4.0v4.02013-08-14
CVE-2013-4880 [MEDIUM] CWE-79 CVE-2013-4880: Cross-site scripting (XSS) vulnerability in core/admin/modules/developer/modules/views/add.php in Bi Cross-site scripting (XSS) vulnerability in core/admin/modules/developer/modules/views/add.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to inject arbitrary web script or HTML via the module parameter.
nvd
CVE-2017-9428P3HIGHCVSS 7.5≤ 4.2.182017-06-04
CVE-2017-9428 [HIGH] CWE-22 CVE-2017-9428: A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS through 4.2.18 on Windows, allowing attackers to read arbitrary files via ..\ sequences in the directory parameter.
nvd
CVE-2017-7881P3HIGHCVSS 8.8≤ 4.2.172017-04-15
CVE-2017-7881 [HIGH] CWE-352 CVE-2017-7881: BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote atta BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header. This was found in core/admin/modules/developer/_header.php and patched in core/inc/bigtree/admin.php on 2017-04-14.
nvd
CVE-2017-16961P3MEDIUMCVSS 6.5≤ 4.2.192017-11-27
CVE-2017-16961 [MEDIUM] CWE-89 CVE-2017-16961: A SQL injection vulnerability in core/inc/auto-modules.php in BigTree CMS through 4.2.19 allows remo A SQL injection vulnerability in core/inc/auto-modules.php in BigTree CMS through 4.2.19 allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The attack uses an admin/trees/add/process request with a crafted _tags[] parameter that is mishandled in a later ad
nvd
CVE-2017-9444P3HIGHCVSS 8.8≤ 4.2.182017-06-05
CVE-2017-9444 [HIGH] CWE-352 CVE-2017-9444: BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php scrip BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the index.php/admin/developer/packages/delete/ URI (remove packages), the index.php/admin/developer/upgrade/ignore/?versions= URI, and the index.php/admin/developer/upgrade/set-ftp-directory/ URI.
nvd
Bigtreecms Bigtree Cms vulnerabilities | cvebase