U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. VulnerabilitiesSearch And Statistics

Search Results (Refine Search)

Search Parameters:
  • CPE Product Version: cpe:/a:bigtreecms:bigtree_cms:4.0
There are 29 matching records.
Displaying matches 21 through 29.
Vuln ID Summary CVSS Severity
CVE-2017-9365

CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/pages/revisions/1/?force=false. A page with id=1 can be unlocked.

Published: June 02, 2017; 1:29:00 AM -0400 		V3.0: 8.8 HIGH
 V2.0: 6.8 MEDIUM
CVE-2017-9364

Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file, they could bypass a safety check and execute any code.

Published: June 02, 2017; 1:29:00 AM -0400 		V3.0: 9.8 CRITICAL
 V2.0: 7.5 HIGH
CVE-2017-7881

BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header. This was found in core/admin/modules/developer/_header.php and patched in core/inc/bigtree/admin.php on 2017-04-14.

Published: April 15, 2017; 12:59:00 PM -0400 		V3.0: 8.8 HIGH
 V2.0: 6.8 MEDIUM
CVE-2017-7695

Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they could bypass a safety check and execute any code.

Published: April 11, 2017; 7:59:00 PM -0400 		V3.0: 9.8 CRITICAL
 V2.0: 7.5 HIGH
CVE-2016-10223

An issue was discovered in BigTree CMS before 4.2.15. The vulnerability exists due to insufficient filtration of user-supplied data in the "id" HTTP GET parameter passed to the "core/admin/adjax/dashboard/check-module-integrity.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

Published: February 14, 2017; 1:59:00 AM -0500 		V3.0: 5.4 MEDIUM
 V2.0: 3.5 LOW
CVE-2013-5313

Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/update.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to hijack the authentication of administrators for requests that modify arbitrary user accounts via an edit user action.

Published: August 19, 2013; 5:10:49 PM -0400 		V3.x:(not available)
 V2.0: 6.8 MEDIUM
CVE-2013-4881

Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/create.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to hijack the authentication of administrators for requests that create an administrative user via an add user action to index.php.

Published: August 19, 2013; 9:07:58 AM -0400 		V3.x:(not available)
 V2.0: 6.8 MEDIUM
CVE-2013-4880

Cross-site scripting (XSS) vulnerability in core/admin/modules/developer/modules/views/add.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to inject arbitrary web script or HTML via the module parameter.

Published: August 14, 2013; 9:50:00 AM -0400 		V3.x:(not available)
 V2.0: 4.3 MEDIUM
CVE-2013-4879

SQL injection vulnerability in core/inc/bigtree/cms.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to index.php.

Published: August 14, 2013; 9:49:59 AM -0400 		V3.x:(not available)
 V2.0: 7.5 HIGH