44 matches found
CVE-2013-4879
Vulnerability: CVE-2013-4879 affects BigTree CMS 4.0 RC2 and earlier, due to an SQL injection in the code path that processes input via PATH_INFO to index.php (affecting core/inc/bigtree/cms.php). The root cause is insufficient sanitization/validation of user-supplied data, enabling remote attack...
CVE-2018-18308
BigTree CMS 4.2.23 contains a Stored XSS vulnerability in the image-upload path /admin/ajax/file-browser/upload/. The issue arises in the image upload handling, allowing an attacker to inject arbitrary web script/HTML via the upload mechanism. Public references (Exploit-DB, CNVD, CNVD-like entrie...
CVE-2013-4881
CVE-2013-4881 is a CSRF vulnerability in BigTree CMS 4.0 RC2 and earlier. The issue lies in core/admin/modules/users/create.php, allowing an attacker to hijack an admin’s session and create a new administrative user via requests to index.php. Exploitation demonstrated with a crafted form that sub...
CVE-2013-4880
CVE-2013-4880 is an XSS vulnerability affecting BigTree CMS 4.0 RC2 and earlier, in core/admin/modules/developer/modules/views/add.php where the module parameter is unsafely handled. The issue allows a remote attacker to inject arbitrary HTML/script by crafting a link such as /site/index.php/admi...
CVE-2023-44954
BigTree CMS 4.5.7 is affected by a Cross-Site Scripting vulnerability in the Developer Settings function, allowing a remote attacker to execute arbitrary code via the ID parameter. The CVE-2023-44954 description and connected sources (CNVD-2023-93329, NVD, OSV, CNNVD) consistently identify BigTre...
CVE-2017-11736
CVE-2017-11736 affects BigTree CMS (version 4.2.18). The vulnerability is an SQL injection in the file core/admin/auto-modules/forms/process.php, exploitable via the tags array parameter, which allows remote authenticated users to execute arbitrary SQL commands. Impact is described as partial to ...
CVE-2017-6915
CVE-2017-6915 affects BigTree CMS 4.1.18. The vulnerability is a CSRF issue in the colophon parameter used by the admin/settings/update/ page, allowing an attacker to alter the Colophon. The CVE is corroborated by multiple sources (Red Hat, NVD, CNVD, OSV, CVE list, etc.). The provided documents ...
CVE-2017-16961
BigTree CMS 4.2.19 and earlier is affected by a SQL injection in core/inc/auto-modules.php. An attacker who is authenticated can exploit a crafted _tags[] parameter in admin/trees/add/process, with the issue later mishandled in admin/ajax/dashboard/approve-change, to obtain information in the con...
CVE-2022-36197
BigTree CMS 4.4.16 contains an arbitrary file upload vulnerability that enables remote code execution via a crafted PDF file. The issue is described across sources as an arbitrary file upload vulnerability affecting BigTree CMS, with CVE-2022-36197 (NVD: CVSS v3.1 base score 5.4; AV:N/AC:L/PR:L/U...
CVE-2017-9548
Summary: CVE-2017-9548 affects BigTree CMS up to version 4.2.18 (BigTree). The vulnerability is a cross-site scripting (XSS) flaw in admin.php that allows remote authenticated users to inject arbitrary script or HTML by using the Home Template Edit Page action and setting the Navigation Title for...
CVE-2016-10223
CVE-2016-10223 – BigTree CMS XSS in id parameter . Affected software: BigTree CMS prior to 4.2.15. The vulnerability stems from insufficient filtration of user-supplied data in the GET parameter id passed to core/admin/adjax/dashboard/check-module-integrity.php, allowing an attacker to inject arb...
CVE-2017-9379
CVE-2017-9379 : The provided documents identify multiple CSRF issues in BigTree CMS
CVE-2018-10574
The CVE-2018-10574 entry pertains to BigTree CMS
CVE-2017-7695
BigTree CMS
CVE-2020-18467
CVE-2020-18467 concerns a cross-site scripting (XSS) vulnerability in BigTree-CMS 4.4.3. The issue arises in the tag name field on the Tags page under General, exploitable by an authenticated user via a crafted website name submitted to admin/tags/create. The documented impact is XSS, with practi...
CVE-2017-9443
BigTree CMS before or at version 4.2.18 is affected by CVE-2017-9443. The vulnerability arises from an SQL injection via a crafted tables object in manifest.json in an uploaded package, affecting core/admin/modules/developer/extensions/install/process.php and core/admin/modules/developer/packages...
CVE-2020-26668
BigTree CMS 4.4.10 and earlier contains a SQL injection in /core/feeds/custom.php exploitable via the Create New Feed function by an authenticated user. The vulnerability stems from improper handling of input in that endpoint, allowing injection of malicious SQL queries. Reported impact per CVSS:...
CVE-2013-5313
CVE-2013-5313 describes a CSRF vulnerability in BigTree CMS 4.0 RC2 and earlier. The flaw is in the file core/admin/modules/users/update.php and enables remote attackers to hijack administrator sessions by sending crafted requests that modify arbitrary user accounts through an edit user action. E...
CVE-2017-6916
CVE-2017-6916 affects BigTree CMS 4.1.18. CSRF via the nav-social[#] parameter to admin/settings/update/ can change the Navigation Social setting, per NVD and related records. CVSSv3 base score 4.3 (Medium) with low integrity impact and no confidentiality/availability impact; exploitation details...
CVE-2017-9427
CVE-2017-9427 is a SQL injection vulnerability in BigTree CMS up to version 4.2.18. The flaw allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/designer/form-create.php, with the injected table name being crafted at admin/developer/modules...
CVE-2017-9365
CVE-2017-9365 describes a CSRF vulnerability in BigTree CMS up to version 4.2.18. The issue stems from the force parameter to the admin/pages/revisions.php endpoint (for example, /admin/pages/revisions/1/?force=false), which can allow unlocking of a page with id=1. The NVD description confirms CS...
CVE-2017-9441
BigTree CMS CVE-2017-9441 affects versions up to 4.2.18 and is due to XSS in the package extension unpack paths (core/admin/modules/developer/extensions/install/unpack.php and core/admin/modules/developer/packages/install/unpack.php) when processing manifest.json fields (title, version, author_na...
CVE-2017-9444
BigTree CMS up to version 4.2.18 is affected by CSRF vulnerabilities in several administrative endpoints: core/admin/modules/users/profile/update.php (modify user information), index.php/admin/developer/packages/delete/ (remove packages), index.php/admin/developer/upgrade/ignore/?versions=, and i...
CVE-2017-9442
BigTree CMS (versions up to 4.2.18) is affected by CVE-2017-9442. Remote authenticated users can execute arbitrary code by uploading a crafted package containing a PHP web shell, via ZIP extraction to file name patterns under cache/package/xxx/yyy.php. The issue exists in core/admin/modules/devel...
CVE-2018-10183
BigTree CMS 4.2.22 contains a cross-site scripting (XSS) vulnerability in /core/inc/lib/less.php/test/index.php triggered by echoing $_SERVER['REQUEST_URI'], demonstrated via the dir parameter in a file=charsets action. This is documented across multiple feeds (NVD/CNVD/OSV) with no provided reme...
CVE-2017-6917
CVE-2017-6917 affects BigTree CMS 4.2.16. The Red Hat and NVD entries confirm a CSRF in the admin/settings/update/ endpoint where the value parameter can alter the Colophon. The connected sources do not provide exploit details or a remediation; no patch/version changes are explicitly stated in th...
CVE-2017-9428
BigTree CMS
CVE-2017-9448
BigTree CMS
CVE-2017-6914
CVE-2017-6914 concerns BigTree CMS, affecting versions 4.1.18 and 4.2.16. The vulnerability is a CSRF flaw triggered by the id parameter to the admin/ajax/users/delete/ endpoint, which allows an arbitrary user to be deleted. The connected Red Hat and other entries corroborate the CSRF nature but ...
CVE-2017-7881
BigTree CMS
CVE-2017-9364
BigTree CMS < = 4.2.18 is affected by an unrestricted file upload vulnerability that allows an attacker to upload a .pht/.phtml file to bypass a safety check and execute code. Connected sources also reference additional issues in the same release family (BigTree CMS
CVE-2017-9449
BigTree CMS vulnerability CVE-2017-9449 affects version up to 4.2.18. A SQL injection flaw exists in core/admin/modules/developer/modules/views/create.php that allows remote authenticated users to execute arbitrary SQL commands by crafting a table name at admin/developer/modules/views/create/; th...
CVE-2018-10364
BigTree CMS
CVE-2020-26670
CVE-2020-26670 affects BigTree CMS up to version 4.4.10. An authenticated attacker can execute arbitrary commands through a crafted request to the server via the Create a New Setting (also described as Create New Setup in some sources) function. The root cause is a command execution vulnerability...
CVE-2018-6013
CVE-2018-6013 is an XSS vulnerability in BigTree CMS 4.2.19. The issue exists in core/admin/ajax/developer/extensions/file-browser.php, where the directory parameter can be used by remote attackers to inject arbitrary web script or HTML. The description across multiple sources confirms impact is ...
CVE-2017-6918
BigTree CMS 4.2.16 exposes a CSRF vulnerability via the value[#][*] parameter to the /admin/settings/update/ page, which can change Navigation Social settings. Affected component is the admin settings handler; root cause is cross-site request forgery without user interaction risk details provided...
CVE-2017-9378
BigTree CMS up to version 4.2.18 allows a user to delete their own account, an action that should be admin-only. The root cause is a missing access-control check on account deletion, enabling self-removal and potential disruption to admin workflows (e.g., data backups). No exploits or in‑the‑wild...
CVE-2017-9546
CVE-2017-9546 concerns BigTree CMS prior to 4.2.19 (BigTree 4.2.18 and earlier). The vulnerability exists in admin.php and allows remote authenticated users to trigger a denial of service by supplying crafted XSS sequences in a revision name, causing an inability to save revisions. Connected sour...
CVE-2017-9547
BigTree CMS (admin.php) up to version 4.2.18 is affected by a Cross-site Scripting (XSS) vulnerability. The issue allows remote authenticated users to inject arbitrary script/HTML by performing an Edit Page action and setting the Navigation Title or Page Title for a page scheduled for future publ...
CVE-2020-26669
BigTree CMS 4.4.10 and earlier is affected by a stored XSS in the admin pages update path (site/index.php/admin/pages/update). The issue allows an authenticated attacker to inject and execute arbitrary web scripts/HTML via page content. Impact is limited to confidentiality/ integrity depending on...
CVE-2018-1000521
BigTree-CMS has an XSS vulnerability in /users/create. The issue allows low-privilege users to impact high-privilege (Developer) users; the description provides no exploit method and does indicate a fix after commit b652cfdc14d0670c81ac4401ad5a04376745c279. Connected sources also corroborate the ...
CVE-2018-17030
CVE-2018-17030 affects BigTree CMS 4.2.23. The vulnerability allows remote authenticated users who have privileges to set hooks to execute arbitrary code via /core/admin/auto-modules/forms/process.php. Public references in the connected documents consistently describe an arbitrary code execution ...
CVE-2018-17341
BigTree 4.2.23 on Windows is affected. When Advanced or Simple Rewrite routing is enabled, authentication can be bypassed via a ..\ substring in the URL (example: launch.php?bigtree_htaccess_url=admin/images/..). This is a remote-auth bypass vulnerability described across NVD, Red Hat, OSV, CVE d...
CVE-2018-18380
CVE-2018-18380 affects BigTree (Bigtree) CMS prior to 4.2.24. The admin.php flow accepts a user-supplied PHP session ID after login instead of regenerating a new one, enabling session hijacking (session fixation). Documents indicate this is fixed in 4.2.24; remediation is to upgrade to 4.2.24 or ...