Vulnerabilities > Bigtreecms > Bigtree CMS > 4.1.14
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-06-01 | CVE-2020-26668 | SQL Injection vulnerability in Bigtreecms Bigtree CMS A SQL injection vulnerability was discovered in /core/feeds/custom.php in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to inject a malicious SQL query to the applications via the 'Create New Feed' function. | 8.8 |
| 2021-06-01 | CVE-2020-26669 | Cross-site Scripting vulnerability in Bigtreecms Bigtree CMS A stored cross-site scripting (XSS) vulnerability was discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary web scripts or HTML via the page content to site/index.php/admin/pages/update. | 5.4 |
| 2021-06-01 | CVE-2020-26670 | OS Command Injection vulnerability in Bigtreecms Bigtree CMS A vulnerability has been discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary commands through a crafted request sent to the server via the 'Create a New Setting' function. | 8.8 |
| 2018-10-19 | CVE-2018-18380 | Session Fixation vulnerability in Bigtreecms Bigtree CMS A Session Fixation issue was discovered in Bigtree before 4.2.24. | 5.4 |
| 2018-04-30 | CVE-2018-10364 | Cross-site Scripting vulnerability in Bigtreecms Bigtree CMS BigTree before 4.2.22 has XSS in the Users management page via the name or company field. | 5.4 |
| 2018-04-30 | CVE-2018-10574 | Code Injection vulnerability in Bigtreecms Bigtree CMS site/index.php/admin/trees/add/ in BigTree 4.2.22 and earlier allows remote attackers to upload and execute arbitrary PHP code because the BigTreeStorage class in core/inc/bigtree/apis/storage.php does not prevent uploads of .htaccess files. | 9.8 |
| 2017-11-27 | CVE-2017-16961 | SQL Injection vulnerability in Bigtreecms Bigtree CMS A SQL injection vulnerability in core/inc/auto-modules.php in BigTree CMS through 4.2.19 allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. | 6.5 |
| 2017-06-12 | CVE-2017-9548 | Cross-site Scripting vulnerability in Bigtreecms Bigtree CMS admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching a Home Template Edit Page action and entering the Navigation Title of a page that is scheduled for future publication (aka a pending page change). | 5.4 |
| 2017-06-12 | CVE-2017-9547 | Cross-site Scripting vulnerability in Bigtreecms Bigtree CMS admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching an Edit Page action and entering the Navigation Title or Page Title of a page that is scheduled for future publication (aka a pending page change). | 5.4 |
| 2017-06-12 | CVE-2017-9546 | Cross-site Scripting vulnerability in Bigtreecms Bigtree CMS admin.php in BigTree through 4.2.18 allows remote authenticated users to cause a denial of service (inability to save revisions) via XSS sequences in a revision name. | 5.7 |