Skip to main content

Bigtree Cms CVE-2018-10364

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2018-04-30 cve@mitre.org
5.4
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Apr 30, 2018 - 21:29 nvd
MEDIUM 5.4

DescriptionNVD

BigTree before 4.2.22 has XSS in the Users management page via the name or company field.

AnalysisAI

BigTree before 4.2.22 has XSS in the Users management page via the name or company field. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. BigTree before 4.2.22 has XSS in the Users management page via the name or company field. Affected products include: Bigtreecms Bigtree Cms. Version information: before 4.2.22.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2017-7695 CRITICAL POC
9.8 Apr 11

Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they coul

CVE-2017-9364 CRITICAL POC
9.8 Jun 02

Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file,

CVE-2018-10574 CRITICAL POC
9.8 Apr 30

site/index.php/admin/trees/add/ in BigTree 4.2.22 and earlier allows remote attackers to upload and execute arbitrary PH

CVE-2017-9442 HIGH POC
8.8 Jun 05

BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package co

CVE-2017-9443 HIGH POC
8.8 Jun 05

BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables objec

CVE-2017-9427 HIGH POC
8.8 Jun 04

SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL com

CVE-2017-9379 HIGH POC
8.8 Jun 02

Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-st

CVE-2017-9365 HIGH POC
8.8 Jun 02

CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/p

CVE-2017-7881 HIGH POC
8.8 Apr 15

BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this

CVE-2018-17341 HIGH POC
8.1 Sep 23

BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authent

CVE-2013-4879 HIGH POC
7.5 Aug 14

SQL injection vulnerability in core/inc/bigtree/cms.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to ex

CVE-2017-9428 HIGH POC
7.5 Jun 04

A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS throu

Share

CVE-2018-10364 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy