Skip to main content

Bigtree Cms CVE-2017-9364

CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2017-06-02 cve@mitre.org
9.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 02, 2017 - 05:29 cve.org
CRITICAL 9.8

DescriptionCVE.org

Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file, they could bypass a safety check and execute any code.

AnalysisAI

Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file, they could bypass a safety check and execute any code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file, they could bypass a safety check and execute any code. Affected products include: Bigtreecms Bigtree Cms. Version information: through 4.2.18.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.

CVE-2017-7695 CRITICAL POC
9.8 Apr 11

Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they coul

CVE-2018-10574 CRITICAL POC
9.8 Apr 30

site/index.php/admin/trees/add/ in BigTree 4.2.22 and earlier allows remote attackers to upload and execute arbitrary PH

CVE-2017-9442 HIGH POC
8.8 Jun 05

BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package co

CVE-2017-9443 HIGH POC
8.8 Jun 05

BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables objec

CVE-2017-9427 HIGH POC
8.8 Jun 04

SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL com

CVE-2017-9379 HIGH POC
8.8 Jun 02

Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-st

CVE-2017-9365 HIGH POC
8.8 Jun 02

CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/p

CVE-2017-7881 HIGH POC
8.8 Apr 15

BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this

CVE-2018-17341 HIGH POC
8.1 Sep 23

BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authent

CVE-2013-4879 HIGH POC
7.5 Aug 14

SQL injection vulnerability in core/inc/bigtree/cms.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to ex

CVE-2017-9428 HIGH POC
7.5 Jun 04

A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS throu

CVE-2018-17030 HIGH POC
7.5 Sep 14

BigTree CMS 4.2.23 allows remote authenticated users, if possessing privileges to set hooks, to execute arbitrary code v

Share

CVE-2017-9364 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy