Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Bigtree_cms
(Bigtreecms)| Repositories | https://github.com/bigtreecms/BigTree-CMS |
| #Vulnerabilities | 44 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2017-04-15 | CVE-2017-7881 | BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header. This was found in core/admin/modules/developer/_header.php and patched in core/inc/bigtree/admin.php on 2017-04-14. | Bigtree_cms | 8.8 | ||
| 2017-04-11 | CVE-2017-7695 | Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they could bypass a safety check and execute any code. | Bigtree_cms | 9.8 | ||
| 2017-03-15 | CVE-2017-6918 | CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page. The Navigation Social can be changed. | Bigtree_cms | 4.3 | ||
| 2017-03-15 | CVE-2017-6917 | CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. The Colophon can be changed. | Bigtree_cms | 4.3 | ||
| 2017-03-15 | CVE-2017-6916 | CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to the admin/settings/update/ page. The Navigation Social can be changed. | Bigtree_cms | 4.3 | ||
| 2017-03-15 | CVE-2017-6915 | CSRF exists in BigTree CMS 4.1.18 with the colophon parameter to the admin/settings/update/ page. The Colophon can be changed. | Bigtree_cms | 4.3 | ||
| 2017-03-15 | CVE-2017-6914 | CSRF exists in BigTree CMS 4.1.18 and 4.2.16 with the id parameter to the admin/ajax/users/delete/ page. A user can be deleted. | Bigtree_cms | 7.1 | ||
| 2017-11-27 | CVE-2017-16961 | A SQL injection vulnerability in core/inc/auto-modules.php in BigTree CMS through 4.2.19 allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The attack uses an admin/trees/add/process request with a crafted _tags[] parameter that is mishandled in a later admin/ajax/dashboard/approve-change request. | Bigtree_cms | 6.5 | ||
| 2017-07-29 | CVE-2017-11736 | SQL injection vulnerability in core\admin\auto-modules\forms\process.php in BigTree 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via the tags array parameter. | Bigtree_cms | 8.8 | ||
| 2017-02-14 | CVE-2016-10223 | An issue was discovered in BigTree CMS before 4.2.15. The vulnerability exists due to insufficient filtration of user-supplied data in the "id" HTTP GET parameter passed to the "core/admin/adjax/dashboard/check-module-integrity.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | Bigtree_cms | 5.4 |