High severity8.8NVD Advisory· Published Apr 15, 2017· Updated May 13, 2026

CVE-2017-7881

Description

BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header. This was found in core/admin/modules/developer/_header.php and patched in core/inc/bigtree/admin.php on 2017-04-14.

Affected products

Bigtreecms/Bigtree CMS
cpe:2.3:a:bigtreecms:bigtree_cms:*:*:*:*:*:*:*:*
Range: <=4.2.17

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/bigtreecms/BigTree-CMS/commit/7761481ac40d83ac29fef42bc6b3c07c86694b56nvdIssue TrackingPatchThird Party Advisory
www.cdxy.menvdExploitThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000