Search Results (Refine Search)
- CPE Product Version: cpe:/a:bigtreecms:bigtree_cms:4.2.23
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2020-26670 |
A vulnerability has been discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary commands through a crafted request sent to the server via the 'Create a New Setting' function. Published: June 01, 2021; 11:15:07 AM -0400 |
V3.1: 8.8 HIGH V2.0: 6.5 MEDIUM |
CVE-2020-26669 |
A stored cross-site scripting (XSS) vulnerability was discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary web scripts or HTML via the page content to site/index.php/admin/pages/update. Published: June 01, 2021; 11:15:07 AM -0400 |
V3.1: 5.4 MEDIUM V2.0: 3.5 LOW |
CVE-2020-26668 |
A SQL injection vulnerability was discovered in /core/feeds/custom.php in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to inject a malicious SQL query to the applications via the 'Create New Feed' function. Published: June 01, 2021; 11:15:07 AM -0400 |
V3.1: 8.8 HIGH V2.0: 6.5 MEDIUM |
CVE-2018-18380 |
A Session Fixation issue was discovered in Bigtree before 4.2.24. admin.php accepts a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application. The Session Fixation could allow an attacker to hijack an admin session. Published: October 19, 2018; 4:29:00 PM -0400 |
V3.0: 5.4 MEDIUM V2.0: 5.8 MEDIUM |
CVE-2018-18308 |
In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area). Published: October 16, 2018; 6:29:01 PM -0400 |
V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2018-17341 |
BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authentication via a ..\ substring, as demonstrated by a launch.php?bigtree_htaccess_url=admin/images/..\ URI. Published: September 23, 2018; 1:29:00 AM -0400 |
V3.0: 8.1 HIGH V2.0: 6.8 MEDIUM |
CVE-2018-17030 |
BigTree CMS 4.2.23 allows remote authenticated users, if possessing privileges to set hooks, to execute arbitrary code via /core/admin/auto-modules/forms/process.php. Published: September 13, 2018; 10:29:00 PM -0400 |
V3.0: 7.5 HIGH V2.0: 6.0 MEDIUM |