Vulnerabilities > Bigtreecms

DATE CVE VULNERABILITY TITLE RISK
2017-06-02 CVE-2017-9378 Incorrect Authorization vulnerability in Bigtreecms Bigtree CMS
BigTree CMS through 4.2.18 does not prevent a user from deleting their own account.
network
low complexity
bigtreecms CWE-863
6.5
2017-06-02 CVE-2017-9365 Cross-Site Request Forgery (CSRF) vulnerability in Bigtreecms Bigtree CMS
CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/pages/revisions/1/?force=false.
network
low complexity
bigtreecms CWE-352
8.8
2017-06-02 CVE-2017-9364 Unrestricted Upload of File with Dangerous Type vulnerability in Bigtreecms Bigtree CMS
Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file, they could bypass a safety check and execute any code.
network
low complexity
bigtreecms CWE-434
critical
9.8
2017-04-15 CVE-2017-7881 Cross-Site Request Forgery (CSRF) vulnerability in Bigtreecms Bigtree CMS
BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header.
network
low complexity
bigtreecms CWE-352
8.8
2017-04-11 CVE-2017-7695 Unrestricted Upload of File with Dangerous Type vulnerability in Bigtreecms Bigtree CMS
Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they could bypass a safety check and execute any code.
network
low complexity
bigtreecms CWE-434
critical
9.8
2017-03-15 CVE-2017-6918 Cross-Site Request Forgery (CSRF) vulnerability in Bigtreecms Bigtree CMS 4.2.16
CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page.
network
low complexity
bigtreecms CWE-352
4.3
2017-03-15 CVE-2017-6917 Cross-Site Request Forgery (CSRF) vulnerability in Bigtreecms Bigtree CMS 4.2.16
CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page.
network
low complexity
bigtreecms CWE-352
4.3
2017-03-15 CVE-2017-6916 Cross-Site Request Forgery (CSRF) vulnerability in Bigtreecms Bigtree CMS 4.1.8
CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to the admin/settings/update/ page.
network
low complexity
bigtreecms CWE-352
4.3
2017-03-15 CVE-2017-6915 Cross-Site Request Forgery (CSRF) vulnerability in Bigtreecms Bigtree CMS 4.1.8
CSRF exists in BigTree CMS 4.1.18 with the colophon parameter to the admin/settings/update/ page.
network
low complexity
bigtreecms CWE-352
4.3
2017-03-15 CVE-2017-6914 Cross-Site Request Forgery (CSRF) vulnerability in Bigtreecms Bigtree CMS 4.1.8/4.2.16
CSRF exists in BigTree CMS 4.1.18 and 4.2.16 with the id parameter to the admin/ajax/users/delete/ page.
network
low complexity
bigtreecms CWE-352
7.1