Vulnerabilities > Bigtreecms

DATE CVE VULNERABILITY TITLE RISK
2017-06-06 CVE-2017-9449 SQL Injection vulnerability in Bigtreecms Bigtree CMS
SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php.
network
low complexity
bigtreecms CWE-89
6.5
2017-06-06 CVE-2017-9448 Cross-site Scripting vulnerability in Bigtreecms Bigtree CMS
Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML via the description parameter.
network
bigtreecms CWE-79
3.5
2017-06-05 CVE-2017-9444 Cross-Site Request Forgery (CSRF) vulnerability in Bigtreecms Bigtree CMS
BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the index.php/admin/developer/packages/delete/ URI (remove packages), the index.php/admin/developer/upgrade/ignore/?versions= URI, and the index.php/admin/developer/upgrade/set-ftp-directory/ URI.
6.8
2017-06-05 CVE-2017-9443 SQL Injection vulnerability in Bigtreecms Bigtree CMS
BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package.
network
low complexity
bigtreecms CWE-89
8.8
2017-06-05 CVE-2017-9442 Code Injection vulnerability in Bigtreecms Bigtree CMS
BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell, related to extraction of a ZIP archive to filename patterns such as cache/package/xxx/yyy.php.
network
low complexity
bigtreecms CWE-94
8.8
2017-06-05 CVE-2017-9441 Cross-site Scripting vulnerability in Bigtreecms Bigtree CMS
Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the (1) title or (2) version or (3) author_name parameter in manifest.json.
network
low complexity
bigtreecms CWE-79
5.4
2017-06-04 CVE-2017-9428 Path Traversal vulnerability in Bigtreecms Bigtree CMS
A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS through 4.2.18 on Windows, allowing attackers to read arbitrary files via ..\ sequences in the directory parameter.
network
low complexity
bigtreecms microsoft CWE-22
5.0
2017-06-04 CVE-2017-9427 SQL Injection vulnerability in Bigtreecms Bigtree CMS
SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core\admin\modules\developer\modules\designer\form-create.php.
network
low complexity
bigtreecms CWE-89
6.5
2017-06-02 CVE-2017-9379 Cross-Site Request Forgery (CSRF) vulnerability in Bigtreecms Bigtree CMS
Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-statistics\404\clear.php and the from or to parameter to core\admin\modules\dashboard\vitals-statistics\404\create-301.php.
6.8
2017-06-02 CVE-2017-9378 Incorrect Authorization vulnerability in Bigtreecms Bigtree CMS
BigTree CMS through 4.2.18 does not prevent a user from deleting their own account.
network
low complexity
bigtreecms CWE-863
4.0