Bigtreecms Bigtree Cms vulnerabilities
44 known vulnerabilities affecting bigtreecms/bigtree_cms.
Total CVEs
44
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH16MEDIUM24LOW1
Vulnerabilities
Page 2 of 3
CVE-2017-9365P4HIGHCVSS 8.8≤ 4.2.182017-06-02
CVE-2017-9365 [HIGH] CWE-352 CVE-2017-9365: CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - f
CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/pages/revisions/1/?force=false. A page with id=1 can be unlocked.
nvd
CVE-2017-9379P4HIGHCVSS 8.8≤ 4.2.182017-06-02
CVE-2017-9379 [HIGH] CWE-352 CVE-2017-9379: Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules
Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-statistics\404\clear.php and the from or to parameter to core\admin\modules\dashboard\vitals-statistics\404\create-301.php.
nvd
CVE-2017-9378P4MEDIUMCVSS 6.5≤ 4.2.182017-06-02
CVE-2017-9378 [MEDIUM] CWE-863 CVE-2017-9378: BigTree CMS through 4.2.18 does not prevent a user from deleting their own account. This could have
BigTree CMS through 4.2.18 does not prevent a user from deleting their own account. This could have security relevance because deletion was supposed to be an admin-only action, and the admin may have other tasks (such as data backups) to complete before a user is deleted.
nvd
CVE-2022-36197P4MEDIUMCVSS 5.4v4.4.162022-08-03
CVE-2022-36197 [MEDIUM] CWE-79 CVE-2022-36197: BigTree CMS 4.4.16 was discovered to contain an arbitrary file upload vulnerability which allows att
BigTree CMS 4.4.16 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted PDF file.
nvd
CVE-2016-10223P4MEDIUMCVSS 5.4≤ 4.2.142017-02-14
CVE-2016-10223 [MEDIUM] CWE-284 CVE-2016-10223: An issue was discovered in BigTree CMS before 4.2.15. The vulnerability exists due to insufficient f
An issue was discovered in BigTree CMS before 4.2.15. The vulnerability exists due to insufficient filtration of user-supplied data in the "id" HTTP GET parameter passed to the "core/admin/adjax/dashboard/check-module-integrity.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
nvd
CVE-2013-5313P4MEDIUMCVSS 6.8≤ 4.0v4.02013-08-19
CVE-2013-5313 [MEDIUM] CWE-352 CVE-2013-5313: Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/update.php in BigTree CM
Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/update.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to hijack the authentication of administrators for requests that modify arbitrary user accounts via an edit user action.
nvd
CVE-2017-6914P4HIGHCVSS 7.1v4.1.8v4.2.162017-03-15
CVE-2017-6914 [HIGH] CWE-352 CVE-2017-6914: CSRF exists in BigTree CMS 4.1.18 and 4.2.16 with the id parameter to the admin/ajax/users/delete/ p
CSRF exists in BigTree CMS 4.1.18 and 4.2.16 with the id parameter to the admin/ajax/users/delete/ page. A user can be deleted.
nvd
CVE-2018-1000521P4MEDIUMCVSS 6.1v4.2.212018-06-26
CVE-2018-1000521 [MEDIUM] CWE-79 CVE-2018-1000521: BigTree-CMS contains a Cross Site Scripting (XSS) vulnerability in /users/create that can result in
BigTree-CMS contains a Cross Site Scripting (XSS) vulnerability in /users/create that can result in The low-privileged users can use this vulnerability to attack high-privileged(Developer) users.. This attack appear to be exploitable via no. This vulnerability appears to have been fixed in after commit b652cfdc14d0670c81ac4401ad5a04376745c279.
nvd
CVE-2018-18380P4MEDIUMCVSS 5.4fixed in 4.2.242018-10-19
CVE-2018-18380 [MEDIUM] CWE-384 CVE-2018-18380: A Session Fixation issue was discovered in Bigtree before 4.2.24. admin.php accepts a user-provided
A Session Fixation issue was discovered in Bigtree before 4.2.24. admin.php accepts a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application. The Session Fixation could allow an attacker to hijack an admin session.
nvd
CVE-2018-10364P4MEDIUMCVSS 5.4fixed in 4.2.222018-04-30
CVE-2018-10364 [MEDIUM] CWE-79 CVE-2018-10364: BigTree before 4.2.22 has XSS in the Users management page via the name or company field.
BigTree before 4.2.22 has XSS in the Users management page via the name or company field.
nvd
CVE-2023-44954P4MEDIUMCVSS 5.4v4.5.72023-11-01
CVE-2023-44954 [MEDIUM] CWE-79 CVE-2023-44954: Cross Site Scripting vulnerability in BigTree CMS v.4.5.7 allows a remote attacker to execute arbitr
Cross Site Scripting vulnerability in BigTree CMS v.4.5.7 allows a remote attacker to execute arbitrary code via the ID parameter in the Developer Settings functions.
nvd
CVE-2020-26669P4MEDIUMCVSS 5.4≤ 4.4.102021-06-01
CVE-2020-26669 [MEDIUM] CWE-79 CVE-2020-26669: A stored cross-site scripting (XSS) vulnerability was discovered in BigTree CMS 4.4.10 and earlier w
A stored cross-site scripting (XSS) vulnerability was discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary web scripts or HTML via the page content to site/index.php/admin/pages/update.
nvd
CVE-2020-18467P4MEDIUMCVSS 5.4v4.4.32021-08-26
CVE-2020-18467 [MEDIUM] CWE-79 CVE-2020-18467: Cross Site Scripting (XSS) vulnerabilty exists in BigTree-CMS 4.4.3 in the tag name field found in t
Cross Site Scripting (XSS) vulnerabilty exists in BigTree-CMS 4.4.3 in the tag name field found in the Tags page under the General menu via a crafted website name by doing an authenticated POST HTTP request to admin/tags/create.
nvd
CVE-2018-10183P4MEDIUMCVSS 6.1v4.2.222018-04-17
CVE-2018-10183 [MEDIUM] CWE-79 CVE-2018-10183: An issue was discovered in BigTree 4.2.22. There is cross-site scripting (XSS) in /core/inc/lib/less
An issue was discovered in BigTree 4.2.22. There is cross-site scripting (XSS) in /core/inc/lib/less.php/test/index.php because of a $_SERVER['REQUEST_URI'] echo, as demonstrated by the dir parameter in a file=charsets action.
nvd
CVE-2018-6013P4MEDIUMCVSS 5.4v4.2.192018-01-23
CVE-2018-6013 [MEDIUM] CWE-79 CVE-2018-6013: Cross-site scripting (XSS) in BigTree 4.2.19 allows any remote users to inject arbitrary web script
Cross-site scripting (XSS) in BigTree 4.2.19 allows any remote users to inject arbitrary web script or HTML via the directory parameter. This issue exists in core/admin/ajax/developer/extensions/file-browser.php.
nvd
CVE-2017-9547P4MEDIUMCVSS 5.4≤ 4.2.182017-06-12
CVE-2017-9547 [MEDIUM] CWE-79 CVE-2017-9547: admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows rem
admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching an Edit Page action and entering the Navigation Title or Page Title of a page that is scheduled for future publication (aka a pending page change).
nvd
CVE-2017-9548P4MEDIUMCVSS 5.4≤ 4.2.182017-06-12
CVE-2017-9548 [MEDIUM] CWE-79 CVE-2017-9548: admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows rem
admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching a Home Template Edit Page action and entering the Navigation Title of a page that is scheduled for future publication (aka a pending page change).
nvd
CVE-2017-9448P4MEDIUMCVSS 5.4≤ 4.2.182017-06-06
CVE-2017-9448 [MEDIUM] CWE-79 CVE-2017-9448: Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated
Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML via the description parameter. This issue exists in core\admin\ajax\pages\save-revision.php and core\admin\modules\pages\revisions.php. Low-privileged (administrator) users can attack high-privileged (Developer
nvd
CVE-2017-9546P4MEDIUMCVSS 5.7≤ 4.2.182017-06-12
CVE-2017-9546 [MEDIUM] CWE-79 CVE-2017-9546: admin.php in BigTree through 4.2.18 allows remote authenticated users to cause a denial of service (
admin.php in BigTree through 4.2.18 allows remote authenticated users to cause a denial of service (inability to save revisions) via XSS sequences in a revision name.
nvd
CVE-2017-6916P4MEDIUMCVSS 4.3v4.1.82017-03-15
CVE-2017-6916 [MEDIUM] CWE-352 CVE-2017-6916: CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to the admin/settings/update/ pag
CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to the admin/settings/update/ page. The Navigation Social can be changed.
nvd