Lucene search
K
BigtreecmsBigtree Cms

44 matches found

CVE
CVE
added 2013/08/13 6:0 p.m.117 views

CVE-2013-4879

Vulnerability: CVE-2013-4879 affects BigTree CMS 4.0 RC2 and earlier, due to an SQL injection in the code path that processes input via PATH_INFO to index.php (affecting core/inc/bigtree/cms.php). The root cause is insufficient sanitization/validation of user-supplied data, enabling remote attack...

7.5CVSS8.3AI score0.03169EPSS
CVE
CVE
added 2018/10/16 10:0 p.m.68 views

CVE-2018-18308

BigTree CMS 4.2.23 contains a Stored XSS vulnerability in the image-upload path /admin/ajax/file-browser/upload/. The issue arises in the image upload handling, allowing an attacker to inject arbitrary web script/HTML via the upload mechanism. Public references (Exploit-DB, CNVD, CNVD-like entrie...

6.1CVSS5.8AI score0.03648EPSS
CVE
CVE
added 2013/08/19 12:0 a.m.62 views

CVE-2013-4881

CVE-2013-4881 is a CSRF vulnerability in BigTree CMS 4.0 RC2 and earlier. The issue lies in core/admin/modules/users/create.php, allowing an attacker to hijack an admin’s session and create a new administrative user via requests to index.php. Exploitation demonstrated with a crafted form that sub...

6.8CVSS7.1AI score0.02199EPSS
CVE
CVE
added 2013/08/13 6:0 p.m.61 views

CVE-2013-4880

CVE-2013-4880 is an XSS vulnerability affecting BigTree CMS 4.0 RC2 and earlier, in core/admin/modules/developer/modules/views/add.php where the module parameter is unsafely handled. The issue allows a remote attacker to inject arbitrary HTML/script by crafting a link such as /site/index.php/admi...

4.3CVSS5.6AI score0.03295EPSS
CVE
CVE
added 2023/11/01 12:0 a.m.59 views

CVE-2023-44954

BigTree CMS 4.5.7 is affected by a Cross-Site Scripting vulnerability in the Developer Settings function, allowing a remote attacker to execute arbitrary code via the ID parameter. The CVE-2023-44954 description and connected sources (CNVD-2023-93329, NVD, OSV, CNNVD) consistently identify BigTre...

5.4CVSS5.8AI score0.00613EPSS
CVE
CVE
added 2017/07/29 2:0 p.m.58 views

CVE-2017-11736

CVE-2017-11736 affects BigTree CMS (version 4.2.18). The vulnerability is an SQL injection in the file core/admin/auto-modules/forms/process.php, exploitable via the tags array parameter, which allows remote authenticated users to execute arbitrary SQL commands. Impact is described as partial to ...

8.8CVSS8.8AI score0.01044EPSS
CVE
CVE
added 2017/03/15 4:0 p.m.58 views

CVE-2017-6915

CVE-2017-6915 affects BigTree CMS 4.1.18. The vulnerability is a CSRF issue in the colophon parameter used by the admin/settings/update/ page, allowing an attacker to alter the Colophon. The CVE is corroborated by multiple sources (Red Hat, NVD, CNVD, OSV, CVE list, etc.). The provided documents ...

4.3CVSS5.2AI score0.00389EPSS
CVE
CVE
added 2017/11/27 10:0 a.m.57 views

CVE-2017-16961

BigTree CMS 4.2.19 and earlier is affected by a SQL injection in core/inc/auto-modules.php. An attacker who is authenticated can exploit a crafted _tags[] parameter in admin/trees/add/process, with the issue later mishandled in admin/ajax/dashboard/approve-change, to obtain information in the con...

6.5CVSS6.2AI score0.01393EPSS
Web
CVE
CVE
added 2022/08/03 12:3 a.m.57 views

CVE-2022-36197

BigTree CMS 4.4.16 contains an arbitrary file upload vulnerability that enables remote code execution via a crafted PDF file. The issue is described across sources as an arbitrary file upload vulnerability affecting BigTree CMS, with CVE-2022-36197 (NVD: CVSS v3.1 base score 5.4; AV:N/AC:L/PR:L/U...

5.4CVSS6.1AI score0.00458EPSS
CVE
CVE
added 2017/06/12 6:0 a.m.56 views

CVE-2017-9548

Summary: CVE-2017-9548 affects BigTree CMS up to version 4.2.18 (BigTree). The vulnerability is a cross-site scripting (XSS) flaw in admin.php that allows remote authenticated users to inject arbitrary script or HTML by using the Home Template Edit Page action and setting the Navigation Title for...

5.4CVSS5.3AI score0.00784EPSS
CVE
CVE
added 2017/02/14 6:30 a.m.54 views

CVE-2016-10223

CVE-2016-10223 – BigTree CMS XSS in id parameter . Affected software: BigTree CMS prior to 4.2.15. The vulnerability stems from insufficient filtration of user-supplied data in the GET parameter id passed to core/admin/adjax/dashboard/check-module-integrity.php, allowing an attacker to inject arb...

5.4CVSS5.7AI score0.0051EPSS
CVE
CVE
added 2017/06/02 3:0 p.m.54 views

CVE-2017-9379

CVE-2017-9379 : The provided documents identify multiple CSRF issues in BigTree CMS

8.8CVSS8.7AI score0.00463EPSS
CVE
CVE
added 2018/04/30 8:0 p.m.53 views

CVE-2018-10574

The CVE-2018-10574 entry pertains to BigTree CMS

9.8CVSS9.8AI score0.02233EPSS
CVE
CVE
added 2017/04/11 11:0 p.m.52 views

CVE-2017-7695

BigTree CMS

9.8CVSS9.6AI score0.01988EPSS
CVE
CVE
added 2021/08/26 5:28 p.m.52 views

CVE-2020-18467

CVE-2020-18467 concerns a cross-site scripting (XSS) vulnerability in BigTree-CMS 4.4.3. The issue arises in the tag name field on the Tags page under General, exploitable by an authenticated user via a crafted website name submitted to admin/tags/create. The documented impact is XSS, with practi...

5.4CVSS5.1AI score0.00473EPSS
CVE
CVE
added 2017/06/05 7:0 p.m.51 views

CVE-2017-9443

BigTree CMS before or at version 4.2.18 is affected by CVE-2017-9443. The vulnerability arises from an SQL injection via a crafted tables object in manifest.json in an uploaded package, affecting core/admin/modules/developer/extensions/install/process.php and core/admin/modules/developer/packages...

8.8CVSS8.6AI score0.01257EPSS
CVE
CVE
added 2021/06/01 2:13 p.m.51 views

CVE-2020-26668

BigTree CMS 4.4.10 and earlier contains a SQL injection in /core/feeds/custom.php exploitable via the Create New Feed function by an authenticated user. The vulnerability stems from improper handling of input in that endpoint, allowing injection of malicious SQL queries. Reported impact per CVSS:...

8.8CVSS8.8AI score0.01395EPSS
CVE
CVE
added 2013/08/19 8:0 p.m.50 views

CVE-2013-5313

CVE-2013-5313 describes a CSRF vulnerability in BigTree CMS 4.0 RC2 and earlier. The flaw is in the file core/admin/modules/users/update.php and enables remote attackers to hijack administrator sessions by sending crafted requests that modify arbitrary user accounts through an edit user action. E...

6.8CVSS7.5AI score0.00885EPSS
CVE
CVE
added 2017/03/15 4:0 p.m.50 views

CVE-2017-6916

CVE-2017-6916 affects BigTree CMS 4.1.18. CSRF via the nav-social[#] parameter to admin/settings/update/ can change the Navigation Social setting, per NVD and related records. CVSSv3 base score 4.3 (Medium) with low integrity impact and no confidentiality/availability impact; exploitation details...

4.3CVSS5.2AI score0.00389EPSS
CVE
CVE
added 2017/06/04 2:0 p.m.50 views

CVE-2017-9427

CVE-2017-9427 is a SQL injection vulnerability in BigTree CMS up to version 4.2.18. The flaw allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/designer/form-create.php, with the injected table name being crafted at admin/developer/modules...

8.8CVSS8.8AI score0.01607EPSS
CVE
CVE
added 2017/06/02 5:4 a.m.49 views

CVE-2017-9365

CVE-2017-9365 describes a CSRF vulnerability in BigTree CMS up to version 4.2.18. The issue stems from the force parameter to the admin/pages/revisions.php endpoint (for example, /admin/pages/revisions/1/?force=false), which can allow unlocking of a page with id=1. The NVD description confirms CS...

8.8CVSS8.6AI score0.00467EPSS
CVE
CVE
added 2017/06/05 7:0 p.m.49 views

CVE-2017-9441

BigTree CMS CVE-2017-9441 affects versions up to 4.2.18 and is due to XSS in the package extension unpack paths (core/admin/modules/developer/extensions/install/unpack.php and core/admin/modules/developer/packages/install/unpack.php) when processing manifest.json fields (title, version, author_na...

5.4CVSS5.2AI score0.00602EPSS
CVE
CVE
added 2017/06/05 7:0 p.m.49 views

CVE-2017-9444

BigTree CMS up to version 4.2.18 is affected by CSRF vulnerabilities in several administrative endpoints: core/admin/modules/users/profile/update.php (modify user information), index.php/admin/developer/packages/delete/ (remove packages), index.php/admin/developer/upgrade/ignore/?versions=, and i...

8.8CVSS8.7AI score0.00453EPSS
CVE
CVE
added 2017/06/05 7:0 p.m.48 views

CVE-2017-9442

BigTree CMS (versions up to 4.2.18) is affected by CVE-2017-9442. Remote authenticated users can execute arbitrary code by uploading a crafted package containing a PHP web shell, via ZIP extraction to file name patterns under cache/package/xxx/yyy.php. The issue exists in core/admin/modules/devel...

8.8CVSS8.7AI score0.02451EPSS
CVE
CVE
added 2018/04/17 2:0 p.m.48 views

CVE-2018-10183

BigTree CMS 4.2.22 contains a cross-site scripting (XSS) vulnerability in /core/inc/lib/less.php/test/index.php triggered by echoing $_SERVER['REQUEST_URI'], demonstrated via the dir parameter in a file=charsets action. This is documented across multiple feeds (NVD/CNVD/OSV) with no provided reme...

6.1CVSS5.9AI score0.00707EPSS
CVE
CVE
added 2017/03/15 4:0 p.m.47 views

CVE-2017-6917

CVE-2017-6917 affects BigTree CMS 4.2.16. The Red Hat and NVD entries confirm a CSRF in the admin/settings/update/ endpoint where the value parameter can alter the Colophon. The connected sources do not provide exploit details or a remediation; no patch/version changes are explicitly stated in th...

4.3CVSS5.2AI score0.00389EPSS
CVE
CVE
added 2017/06/04 2:0 p.m.47 views

CVE-2017-9428

BigTree CMS

7.5CVSS7.5AI score0.02044EPSS
CVE
CVE
added 2017/06/06 3:0 p.m.47 views

CVE-2017-9448

BigTree CMS

5.4CVSS5.5AI score0.00592EPSS
CVE
CVE
added 2017/03/15 4:0 p.m.46 views

CVE-2017-6914

CVE-2017-6914 concerns BigTree CMS, affecting versions 4.1.18 and 4.2.16. The vulnerability is a CSRF flaw triggered by the id parameter to the admin/ajax/users/delete/ endpoint, which allows an arbitrary user to be deleted. The connected Red Hat and other entries corroborate the CSRF nature but ...

7.1CVSS7AI score0.00382EPSS
CVE
CVE
added 2017/04/15 4:0 p.m.46 views

CVE-2017-7881

BigTree CMS

8.8CVSS8.7AI score0.00751EPSS
CVE
CVE
added 2017/06/02 5:4 a.m.46 views

CVE-2017-9364

BigTree CMS < = 4.2.18 is affected by an unrestricted file upload vulnerability that allows an attacker to upload a .pht/.phtml file to bypass a safety check and execute code. Connected sources also reference additional issues in the same release family (BigTree CMS

9.8CVSS9.6AI score0.01255EPSS
CVE
CVE
added 2017/06/06 3:0 p.m.46 views

CVE-2017-9449

BigTree CMS vulnerability CVE-2017-9449 affects version up to 4.2.18. A SQL injection flaw exists in core/admin/modules/developer/modules/views/create.php that allows remote authenticated users to execute arbitrary SQL commands by crafting a table name at admin/developer/modules/views/create/; th...

8.8CVSS8.8AI score0.01066EPSS
CVE
CVE
added 2018/04/30 9:0 p.m.46 views

CVE-2018-10364

BigTree CMS

5.4CVSS5.2AI score0.0083EPSS
CVE
CVE
added 2021/06/01 2:13 p.m.46 views

CVE-2020-26670

CVE-2020-26670 affects BigTree CMS up to version 4.4.10. An authenticated attacker can execute arbitrary commands through a crafted request to the server via the Create a New Setting (also described as Create New Setup in some sources) function. The root cause is a command execution vulnerability...

8.8CVSS8.8AI score0.01819EPSS
CVE
CVE
added 2018/01/23 12:0 a.m.45 views

CVE-2018-6013

CVE-2018-6013 is an XSS vulnerability in BigTree CMS 4.2.19. The issue exists in core/admin/ajax/developer/extensions/file-browser.php, where the directory parameter can be used by remote attackers to inject arbitrary web script or HTML. The description across multiple sources confirms impact is ...

5.4CVSS5.3AI score0.00836EPSS
CVE
CVE
added 2017/03/15 4:0 p.m.44 views

CVE-2017-6918

BigTree CMS 4.2.16 exposes a CSRF vulnerability via the value[#][*] parameter to the /admin/settings/update/ page, which can change Navigation Social settings. Affected component is the admin settings handler; root cause is cross-site request forgery without user interaction risk details provided...

4.3CVSS5.2AI score0.00389EPSS
CVE
CVE
added 2017/06/02 3:0 p.m.44 views

CVE-2017-9378

BigTree CMS up to version 4.2.18 allows a user to delete their own account, an action that should be admin-only. The root cause is a missing access-control check on account deletion, enabling self-removal and potential disruption to admin workflows (e.g., data backups). No exploits or in‑the‑wild...

6.5CVSS6.4AI score0.0063EPSS
CVE
CVE
added 2017/06/12 6:0 a.m.44 views

CVE-2017-9546

CVE-2017-9546 concerns BigTree CMS prior to 4.2.19 (BigTree 4.2.18 and earlier). The vulnerability exists in admin.php and allows remote authenticated users to trigger a denial of service by supplying crafted XSS sequences in a revision name, causing an inability to save revisions. Connected sour...

5.7CVSS5.4AI score0.01127EPSS
CVE
CVE
added 2017/06/12 6:0 a.m.44 views

CVE-2017-9547

BigTree CMS (admin.php) up to version 4.2.18 is affected by a Cross-site Scripting (XSS) vulnerability. The issue allows remote authenticated users to inject arbitrary script/HTML by performing an Edit Page action and setting the Navigation Title or Page Title for a page scheduled for future publ...

5.4CVSS5.3AI score0.00784EPSS
CVE
CVE
added 2021/06/01 2:13 p.m.43 views

CVE-2020-26669

BigTree CMS 4.4.10 and earlier is affected by a stored XSS in the admin pages update path (site/index.php/admin/pages/update). The issue allows an authenticated attacker to inject and execute arbitrary web scripts/HTML via page content. Impact is limited to confidentiality/ integrity depending on...

5.4CVSS5.4AI score0.00604EPSS
CVE
CVE
added 2018/06/26 4:0 p.m.42 views

CVE-2018-1000521

BigTree-CMS has an XSS vulnerability in /users/create. The issue allows low-privilege users to impact high-privilege (Developer) users; the description provides no exploit method and does indicate a fix after commit b652cfdc14d0670c81ac4401ad5a04376745c279. Connected sources also corroborate the ...

6.1CVSS6AI score0.00865EPSS
CVE
CVE
added 2018/09/14 2:0 a.m.42 views

CVE-2018-17030

CVE-2018-17030 affects BigTree CMS 4.2.23. The vulnerability allows remote authenticated users who have privileges to set hooks to execute arbitrary code via /core/admin/auto-modules/forms/process.php. Public references in the connected documents consistently describe an arbitrary code execution ...

7.5CVSS7.6AI score0.02318EPSS
CVE
CVE
added 2018/09/23 5:0 a.m.42 views

CVE-2018-17341

BigTree 4.2.23 on Windows is affected. When Advanced or Simple Rewrite routing is enabled, authentication can be bypassed via a ..\ substring in the URL (example: launch.php?bigtree_htaccess_url=admin/images/..). This is a remote-auth bypass vulnerability described across NVD, Red Hat, OSV, CVE d...

8.1CVSS8.1AI score0.01939EPSS
CVE
CVE
added 2018/10/19 8:0 p.m.41 views

CVE-2018-18380

CVE-2018-18380 affects BigTree (Bigtree) CMS prior to 4.2.24. The admin.php flow accepts a user-supplied PHP session ID after login instead of regenerating a new one, enabling session hijacking (session fixation). Documents indicate this is fixed in 4.2.24; remediation is to upgrade to 4.2.24 or ...

5.8CVSS5.4AI score0.01085EPSS