Vulnerabilities > Bigtreecms
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-06-06 | CVE-2017-9449 | SQL Injection vulnerability in Bigtreecms Bigtree CMS SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php. | 6.5 |
| 2017-06-06 | CVE-2017-9448 | Cross-site Scripting vulnerability in Bigtreecms Bigtree CMS Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML via the description parameter. | 3.5 |
| 2017-06-05 | CVE-2017-9444 | Cross-Site Request Forgery (CSRF) vulnerability in Bigtreecms Bigtree CMS BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the index.php/admin/developer/packages/delete/ URI (remove packages), the index.php/admin/developer/upgrade/ignore/?versions= URI, and the index.php/admin/developer/upgrade/set-ftp-directory/ URI. | 6.8 |
| 2017-06-05 | CVE-2017-9443 | SQL Injection vulnerability in Bigtreecms Bigtree CMS BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. | 8.8 |
| 2017-06-05 | CVE-2017-9442 | Code Injection vulnerability in Bigtreecms Bigtree CMS BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell, related to extraction of a ZIP archive to filename patterns such as cache/package/xxx/yyy.php. | 8.8 |
| 2017-06-05 | CVE-2017-9441 | Cross-site Scripting vulnerability in Bigtreecms Bigtree CMS Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the (1) title or (2) version or (3) author_name parameter in manifest.json. | 5.4 |
| 2017-06-04 | CVE-2017-9428 | Path Traversal vulnerability in Bigtreecms Bigtree CMS A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS through 4.2.18 on Windows, allowing attackers to read arbitrary files via ..\ sequences in the directory parameter. | 5.0 |
| 2017-06-04 | CVE-2017-9427 | SQL Injection vulnerability in Bigtreecms Bigtree CMS SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core\admin\modules\developer\modules\designer\form-create.php. | 6.5 |
| 2017-06-02 | CVE-2017-9379 | Cross-Site Request Forgery (CSRF) vulnerability in Bigtreecms Bigtree CMS Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-statistics\404\clear.php and the from or to parameter to core\admin\modules\dashboard\vitals-statistics\404\create-301.php. | 6.8 |
| 2017-06-02 | CVE-2017-9378 | Incorrect Authorization vulnerability in Bigtreecms Bigtree CMS BigTree CMS through 4.2.18 does not prevent a user from deleting their own account. | 4.0 |