Skip to main content

Bigtree Cms CVE-2017-9378

MEDIUM
Incorrect Authorization (CWE-863)
2017-06-02 cve@mitre.org
6.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Jun 02, 2017 - 15:29 cve.org
MEDIUM 6.5

DescriptionCVE.org

BigTree CMS through 4.2.18 does not prevent a user from deleting their own account. This could have security relevance because deletion was supposed to be an admin-only action, and the admin may have other tasks (such as data backups) to complete before a user is deleted.

AnalysisAI

BigTree CMS through 4.2.18 does not prevent a user from deleting their own account. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. BigTree CMS through 4.2.18 does not prevent a user from deleting their own account. This could have security relevance because deletion was supposed to be an admin-only action, and the admin may have other tasks (such as data backups) to complete before a user is deleted. Affected products include: Bigtreecms Bigtree Cms. Version information: through 4.2.18.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.

CVE-2017-7695 CRITICAL POC
9.8 Apr 11

Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they coul

CVE-2017-9364 CRITICAL POC
9.8 Jun 02

Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file,

CVE-2018-10574 CRITICAL POC
9.8 Apr 30

site/index.php/admin/trees/add/ in BigTree 4.2.22 and earlier allows remote attackers to upload and execute arbitrary PH

CVE-2017-9442 HIGH POC
8.8 Jun 05

BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package co

CVE-2017-9443 HIGH POC
8.8 Jun 05

BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables objec

CVE-2017-9427 HIGH POC
8.8 Jun 04

SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL com

CVE-2017-9379 HIGH POC
8.8 Jun 02

Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-st

CVE-2017-9365 HIGH POC
8.8 Jun 02

CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/p

CVE-2017-7881 HIGH POC
8.8 Apr 15

BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this

CVE-2018-17341 HIGH POC
8.1 Sep 23

BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authent

CVE-2013-4879 HIGH POC
7.5 Aug 14

SQL injection vulnerability in core/inc/bigtree/cms.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to ex

CVE-2017-9428 HIGH POC
7.5 Jun 04

A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS throu

Share

CVE-2017-9378 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy