Bigtree CMS
by Bigtreecms
Source repositories
CVEs (29)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-6918 | Med | 0.28 | 4.3 | 0.00 | Mar 15, 2017 | CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page. The Navigation Social can be changed. | |
| CVE-2017-6917 | Med | 0.28 | 4.3 | 0.00 | Mar 15, 2017 | CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. The Colophon can be changed. | |
| CVE-2017-6916 | Med | 0.28 | 4.3 | 0.00 | Mar 15, 2017 | CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to the admin/settings/update/ page. The Navigation Social can be changed. | |
| CVE-2017-6915 | Med | 0.28 | 4.3 | 0.00 | Mar 15, 2017 | CSRF exists in BigTree CMS 4.1.18 with the colophon parameter to the admin/settings/update/ page. The Colophon can be changed. | |
| CVE-2017-9441 | Low | 0.18 | 2.7 | 0.00 | Jun 5, 2017 | Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the (1) title or (2) version or (3) author_name parameter in manifest.json. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files. | |
| CVE-2013-4881 | 0.03 | — | 0.00 | Aug 19, 2013 | Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/create.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to hijack the authentication of administrators for requests that create an administrative user via an add user action to index.php. | ||
| CVE-2013-5313 | 0.00 | — | 0.00 | Aug 19, 2013 | Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/update.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to hijack the authentication of administrators for requests that modify arbitrary user accounts via an edit user action. | ||
| CVE-2013-4880 | 0.00 | — | 0.05 | Aug 14, 2013 | Cross-site scripting (XSS) vulnerability in core/admin/modules/developer/modules/views/add.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to inject arbitrary web script or HTML via the module parameter. | ||
| CVE-2013-4879 | 0.00 | — | 0.01 | Aug 14, 2013 | SQL injection vulnerability in core/inc/bigtree/cms.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to index.php. |
Page 2 of 2