Vulnerabilities > Bigtreecms > Bigtree CMS > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-07-29 | CVE-2017-11736 | SQL Injection vulnerability in Bigtreecms Bigtree CMS 4.2.18 SQL injection vulnerability in core\admin\auto-modules\forms\process.php in BigTree 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via the tags array parameter. | 6.5 |
| 2017-06-06 | CVE-2017-9449 | SQL Injection vulnerability in Bigtreecms Bigtree CMS SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php. | 6.5 |
| 2017-06-05 | CVE-2017-9444 | Cross-Site Request Forgery (CSRF) vulnerability in Bigtreecms Bigtree CMS BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the index.php/admin/developer/packages/delete/ URI (remove packages), the index.php/admin/developer/upgrade/ignore/?versions= URI, and the index.php/admin/developer/upgrade/set-ftp-directory/ URI. | 6.8 |
| 2017-06-05 | CVE-2017-9441 | Cross-site Scripting vulnerability in Bigtreecms Bigtree CMS Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the (1) title or (2) version or (3) author_name parameter in manifest.json. | 5.4 |
| 2017-06-04 | CVE-2017-9428 | Path Traversal vulnerability in Bigtreecms Bigtree CMS A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS through 4.2.18 on Windows, allowing attackers to read arbitrary files via ..\ sequences in the directory parameter. | 5.0 |
| 2017-06-04 | CVE-2017-9427 | SQL Injection vulnerability in Bigtreecms Bigtree CMS SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core\admin\modules\developer\modules\designer\form-create.php. | 6.5 |
| 2017-06-02 | CVE-2017-9379 | Cross-Site Request Forgery (CSRF) vulnerability in Bigtreecms Bigtree CMS Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-statistics\404\clear.php and the from or to parameter to core\admin\modules\dashboard\vitals-statistics\404\create-301.php. | 6.8 |
| 2017-06-02 | CVE-2017-9378 | Incorrect Authorization vulnerability in Bigtreecms Bigtree CMS BigTree CMS through 4.2.18 does not prevent a user from deleting their own account. | 4.0 |
| 2017-06-02 | CVE-2017-9365 | Cross-Site Request Forgery (CSRF) vulnerability in Bigtreecms Bigtree CMS CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/pages/revisions/1/?force=false. | 6.8 |
| 2017-04-15 | CVE-2017-7881 | Cross-Site Request Forgery (CSRF) vulnerability in Bigtreecms Bigtree CMS BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header. | 6.8 |