Bigtree Cms Security Vulnerabilities and Issues — Bigtree Cms CVE List

Lucene search

BigtreecmsBigtree Cms

10 matches found

CVE•added 2018/10/16 10:29 p.m.•46 views

CVE-2018-18308

In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area).

6.1CVSS5.8AI score0.0604EPSS

CVE•added 2018/04/30 8:29 p.m.•39 views

CVE-2018-10574

site/index.php/admin/trees/add/ in BigTree 4.2.22 and earlier allows remote attackers to upload and execute arbitrary PHP code because the BigTreeStorage class in core/inc/bigtree/apis/storage.php does not prevent uploads of .htaccess files.

9.8CVSS9.8AI score0.00925EPSS

CVE•added 2018/04/17 2:29 p.m.•34 views

CVE-2018-10183

An issue was discovered in BigTree 4.2.22. There is cross-site scripting (XSS) in /core/inc/lib/less.php/test/index.php because of a $_SERVER['REQUEST_URI'] echo, as demonstrated by the dir parameter in a file=charsets action.

6.1CVSS5.9AI score0.0024EPSS

CVE•added 2018/01/23 12:29 a.m.•32 views

CVE-2018-6013

Cross-site scripting (XSS) in BigTree 4.2.19 allows any remote users to inject arbitrary web script or HTML via the directory parameter. This issue exists in core/admin/ajax/developer/extensions/file-browser.php.

5.4CVSS5.3AI score0.0015EPSS

CVE•added 2018/04/30 9:29 p.m.•31 views

CVE-2018-10364

BigTree before 4.2.22 has XSS in the Users management page via the name or company field.

5.4CVSS5.2AI score0.00227EPSS

CVE•added 2018/12/23 11:29 p.m.•31 views

CVE-2018-20405

BigTree 4.3 allows full path disclosure via authenticated admin/news/ input that triggers a syntax error. NOTE: This has been disputed with the following reasoning: "The issue reported requires full developer level access to the content management system where cross site scripting is not an issue -...

4CVSS3.9AI score0.00258EPSS

CVE•added 2018/10/19 8:29 p.m.•30 views

CVE-2018-18380

A Session Fixation issue was discovered in Bigtree before 4.2.24. admin.php accepts a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application. The Session Fixation could allow an attacker to hijack an admin session.

5.8CVSS5.4AI score0.00251EPSS

CVE•added 2018/06/26 4:29 p.m.•29 views

CVE-2018-1000521

BigTree-CMS contains a Cross Site Scripting (XSS) vulnerability in /users/create that can result in The low-privileged users can use this vulnerability to attack high-privileged(Developer) users.. This attack appear to be exploitable via no. This vulnerability appears to have been fixed in after co...

6.1CVSS6AI score0.0024EPSS

CVE•added 2018/09/14 2:29 a.m.•29 views

CVE-2018-17030

BigTree CMS 4.2.23 allows remote authenticated users, if possessing privileges to set hooks, to execute arbitrary code via /core/admin/auto-modules/forms/process.php.

7.5CVSS7.6AI score0.02417EPSS

CVE•added 2018/09/23 5:29 a.m.•28 views

CVE-2018-17341

BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authentication via a ..\ substring, as demonstrated by a launch.php?bigtree_htaccess_url=admin/images/..\ URI.

8.1CVSS8.1AI score0.00461EPSS