Vulnerabilities > Bigtreecms > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-06-01 | CVE-2020-26668 | SQL Injection vulnerability in Bigtreecms Bigtree CMS A SQL injection vulnerability was discovered in /core/feeds/custom.php in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to inject a malicious SQL query to the applications via the 'Create New Feed' function. | 8.8 |
| 2021-06-01 | CVE-2020-26670 | OS Command Injection vulnerability in Bigtreecms Bigtree CMS A vulnerability has been discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary commands through a crafted request sent to the server via the 'Create a New Setting' function. | 8.8 |
| 2018-09-23 | CVE-2018-17341 | Improper Authentication vulnerability in Bigtreecms Bigtree CMS 4.2.23 BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authentication via a ..\ substring, as demonstrated by a launch.php?bigtree_htaccess_url=admin/images/..\ URI. | 8.1 |
| 2018-09-14 | CVE-2018-17030 | Code Injection vulnerability in Bigtreecms Bigtree CMS 4.2.23 BigTree CMS 4.2.23 allows remote authenticated users, if possessing privileges to set hooks, to execute arbitrary code via /core/admin/auto-modules/forms/process.php. | 7.5 |
| 2017-07-29 | CVE-2017-11736 | SQL Injection vulnerability in Bigtreecms Bigtree CMS 4.2.18 SQL injection vulnerability in core\admin\auto-modules\forms\process.php in BigTree 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via the tags array parameter. | 8.8 |
| 2017-06-06 | CVE-2017-9449 | SQL Injection vulnerability in Bigtreecms Bigtree CMS SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php. | 8.8 |
| 2017-06-05 | CVE-2017-9444 | Cross-Site Request Forgery (CSRF) vulnerability in Bigtreecms Bigtree CMS BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the index.php/admin/developer/packages/delete/ URI (remove packages), the index.php/admin/developer/upgrade/ignore/?versions= URI, and the index.php/admin/developer/upgrade/set-ftp-directory/ URI. | 8.8 |
| 2017-06-05 | CVE-2017-9443 | SQL Injection vulnerability in Bigtreecms Bigtree CMS BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. | 8.8 |
| 2017-06-05 | CVE-2017-9442 | Code Injection vulnerability in Bigtreecms Bigtree CMS BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell, related to extraction of a ZIP archive to filename patterns such as cache/package/xxx/yyy.php. | 8.8 |
| 2017-06-04 | CVE-2017-9428 | Path Traversal vulnerability in Bigtreecms Bigtree CMS A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS through 4.2.18 on Windows, allowing attackers to read arbitrary files via ..\ sequences in the directory parameter. | 7.5 |