Vulnerabilities > Bigtreecms > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-11-27 | CVE-2017-16961 | SQL Injection vulnerability in Bigtreecms Bigtree CMS A SQL injection vulnerability in core/inc/auto-modules.php in BigTree CMS through 4.2.19 allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. | 6.5 |
| 2017-06-12 | CVE-2017-9548 | Cross-site Scripting vulnerability in Bigtreecms Bigtree CMS admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching a Home Template Edit Page action and entering the Navigation Title of a page that is scheduled for future publication (aka a pending page change). | 5.4 |
| 2017-06-12 | CVE-2017-9547 | Cross-site Scripting vulnerability in Bigtreecms Bigtree CMS admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching an Edit Page action and entering the Navigation Title or Page Title of a page that is scheduled for future publication (aka a pending page change). | 5.4 |
| 2017-06-12 | CVE-2017-9546 | Cross-site Scripting vulnerability in Bigtreecms Bigtree CMS admin.php in BigTree through 4.2.18 allows remote authenticated users to cause a denial of service (inability to save revisions) via XSS sequences in a revision name. | 5.7 |
| 2017-06-06 | CVE-2017-9448 | Cross-site Scripting vulnerability in Bigtreecms Bigtree CMS Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML via the description parameter. | 5.4 |
| 2017-06-05 | CVE-2017-9441 | Cross-site Scripting vulnerability in Bigtreecms Bigtree CMS Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the (1) title or (2) version or (3) author_name parameter in manifest.json. | 5.4 |
| 2017-06-02 | CVE-2017-9378 | Incorrect Authorization vulnerability in Bigtreecms Bigtree CMS BigTree CMS through 4.2.18 does not prevent a user from deleting their own account. | 6.5 |
| 2017-03-15 | CVE-2017-6918 | Cross-Site Request Forgery (CSRF) vulnerability in Bigtreecms Bigtree CMS 4.2.16 CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page. | 4.3 |
| 2017-03-15 | CVE-2017-6917 | Cross-Site Request Forgery (CSRF) vulnerability in Bigtreecms Bigtree CMS 4.2.16 CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. | 4.3 |
| 2017-03-15 | CVE-2017-6916 | Cross-Site Request Forgery (CSRF) vulnerability in Bigtreecms Bigtree CMS 4.1.8 CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to the admin/settings/update/ page. | 4.3 |