Bigtreecms Bigtree Cms vulnerabilities
44 known vulnerabilities affecting bigtreecms/bigtree_cms.
Total CVEs
44
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH16MEDIUM24LOW1
Vulnerabilities
Page 1 of 3
CVE-2013-4879P3HIGHCVSS 7.5PoC≤ 4.0v4.02013-08-14
CVE-2013-4879 [HIGH] CWE-89 CVE-2013-4879: SQL injection vulnerability in core/inc/bigtree/cms.php in BigTree CMS 4.0 RC2 and earlier allows re
SQL injection vulnerability in core/inc/bigtree/cms.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to index.php.
nvd
CVE-2018-18308P3MEDIUMCVSS 6.1PoCv4.2.232018-10-16
CVE-2018-18308 [MEDIUM] CWE-79 CVE-2018-18308: In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file
In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area).
nvd
CVE-2020-26670P3HIGHCVSS 8.8≤ 4.4.102021-06-01
CVE-2020-26670 [HIGH] CWE-78 CVE-2020-26670: A vulnerability has been discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated
A vulnerability has been discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary commands through a crafted request sent to the server via the 'Create a New Setting' function.
nvd
CVE-2018-10574P3CRITICALCVSS 9.8≤ 4.2.222018-04-30
CVE-2018-10574 [CRITICAL] CWE-94 CVE-2018-10574: site/index.php/admin/trees/add/ in BigTree 4.2.22 and earlier allows remote attackers to upload and
site/index.php/admin/trees/add/ in BigTree 4.2.22 and earlier allows remote attackers to upload and execute arbitrary PHP code because the BigTreeStorage class in core/inc/bigtree/apis/storage.php does not prevent uploads of .htaccess files.
nvd
CVE-2013-4881P4MEDIUMCVSS 6.8PoC≤ 4.0v4.02013-08-19
CVE-2013-4881 [MEDIUM] CWE-352 CVE-2013-4881: Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/create.php in BigTree CM
Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/create.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to hijack the authentication of administrators for requests that create an administrative user via an add user action to index.php.
nvd
CVE-2017-7695P3CRITICALCVSS 9.8≤ 4.2.162017-04-11
CVE-2017-7695 [CRITICAL] CWE-434 CVE-2017-7695: Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[spa
Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they could bypass a safety check and execute any code.
nvd
CVE-2017-9364P3CRITICALCVSS 9.8≤ 4.2.182017-06-02
CVE-2017-9364 [CRITICAL] CWE-434 CVE-2017-9364: Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' o
Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file, they could bypass a safety check and execute any code.
nvd
CVE-2017-9427P3HIGHCVSS 8.8≤ 4.2.182017-06-04
CVE-2017-9427 [HIGH] CWE-89 CVE-2017-9427: SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execu
SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core\admin\modules\developer\modules\designer\form-create.php. The attacker creates a crafted table name at admin/developer/modules/designer/ and the injection is visible at admin/dashboard/vitals-statistics/integrity/check/?e
nvd
CVE-2017-9442P3HIGHCVSS 8.8≤ 4.2.182017-06-05
CVE-2017-9442 [HIGH] CWE-94 CVE-2017-9442: BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading
BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell, related to extraction of a ZIP archive to filename patterns such as cache/package/xxx/yyy.php. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\pac
nvd
CVE-2020-26668P3HIGHCVSS 8.8≤ 4.4.102021-06-01
CVE-2020-26668 [HIGH] CWE-89 CVE-2020-26668: A SQL injection vulnerability was discovered in /core/feeds/custom.php in BigTree CMS 4.4.10 and ear
A SQL injection vulnerability was discovered in /core/feeds/custom.php in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to inject a malicious SQL query to the applications via the 'Create New Feed' function.
nvd
CVE-2017-9449P3HIGHCVSS 8.8≤ 4.2.182017-06-06
CVE-2017-9449 [HIGH] CWE-89 CVE-2017-9449: SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execu
SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php. The attacker creates a crafted table name at admin/developer/modules/views/create/ and the injection is visible at admin/ajax/auto-modules/views/searchable-page/ or admin/
nvd
CVE-2017-11736P3HIGHCVSS 8.8v4.2.182017-07-29
CVE-2017-11736 [HIGH] CWE-89 CVE-2017-11736: SQL injection vulnerability in core\admin\auto-modules\forms\process.php in BigTree 4.2.18 allows re
SQL injection vulnerability in core\admin\auto-modules\forms\process.php in BigTree 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via the tags array parameter.
nvd
CVE-2018-17341P3HIGHCVSS 8.1v4.2.232018-09-23
CVE-2018-17341 [HIGH] CWE-287 CVE-2018-17341: BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attacke
BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authentication via a ..\ substring, as demonstrated by a launch.php?bigtree_htaccess_url=admin/images/..\ URI.
nvd
CVE-2018-17030P3HIGHCVSS 7.5v4.2.232018-09-14
CVE-2018-17030 [HIGH] CWE-94 CVE-2018-17030: BigTree CMS 4.2.23 allows remote authenticated users, if possessing privileges to set hooks, to exec
BigTree CMS 4.2.23 allows remote authenticated users, if possessing privileges to set hooks, to execute arbitrary code via /core/admin/auto-modules/forms/process.php.
nvd
CVE-2017-9443P3HIGHCVSS 8.8≤ 4.2.182017-06-05
CVE-2017-9443 [HIGH] CWE-89 CVE-2017-9443: BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a
BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. This issue exists in core\admin\modules\developer\extensions\install\process.php and core\admin\modules\developer\packages\install\process.php. NOTE: the vendor states "You must implicitly trust
nvd
CVE-2013-4880P4MEDIUMCVSS 4.3PoC≤ 4.0v4.02013-08-14
CVE-2013-4880 [MEDIUM] CWE-79 CVE-2013-4880: Cross-site scripting (XSS) vulnerability in core/admin/modules/developer/modules/views/add.php in Bi
Cross-site scripting (XSS) vulnerability in core/admin/modules/developer/modules/views/add.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to inject arbitrary web script or HTML via the module parameter.
nvd
CVE-2017-9428P3HIGHCVSS 7.5≤ 4.2.182017-06-04
CVE-2017-9428 [HIGH] CWE-22 CVE-2017-9428: A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php
A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS through 4.2.18 on Windows, allowing attackers to read arbitrary files via ..\ sequences in the directory parameter.
nvd
CVE-2017-7881P3HIGHCVSS 8.8≤ 4.2.172017-04-15
CVE-2017-7881 [HIGH] CWE-352 CVE-2017-7881: BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote atta
BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header. This was found in core/admin/modules/developer/_header.php and patched in core/inc/bigtree/admin.php on 2017-04-14.
nvd
CVE-2017-16961P3MEDIUMCVSS 6.5≤ 4.2.192017-11-27
CVE-2017-16961 [MEDIUM] CWE-89 CVE-2017-16961: A SQL injection vulnerability in core/inc/auto-modules.php in BigTree CMS through 4.2.19 allows remo
A SQL injection vulnerability in core/inc/auto-modules.php in BigTree CMS through 4.2.19 allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The attack uses an admin/trees/add/process request with a crafted _tags[] parameter that is mishandled in a later ad
nvd
CVE-2017-9444P3HIGHCVSS 8.8≤ 4.2.182017-06-05
CVE-2017-9444 [HIGH] CWE-352 CVE-2017-9444: BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php scrip
BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the index.php/admin/developer/packages/delete/ URI (remove packages), the index.php/admin/developer/upgrade/ignore/?versions= URI, and the index.php/admin/developer/upgrade/set-ftp-directory/ URI.
nvd
1 / 3Next →