Skip to main content

Bigtree Cms CVE-2018-18308

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2018-10-16 cve@mitre.org
6.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Oct 16, 2018 - 22:29 nvd
MEDIUM 6.1

DescriptionNVD

In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area).

AnalysisAI

In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area). Affected products include: Bigtreecms Bigtree Cms.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2017-7695 CRITICAL POC
9.8 Apr 11

Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they coul

CVE-2017-9364 CRITICAL POC
9.8 Jun 02

Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file,

CVE-2018-10574 CRITICAL POC
9.8 Apr 30

site/index.php/admin/trees/add/ in BigTree 4.2.22 and earlier allows remote attackers to upload and execute arbitrary PH

CVE-2017-9442 HIGH POC
8.8 Jun 05

BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package co

CVE-2017-9443 HIGH POC
8.8 Jun 05

BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables objec

CVE-2017-9427 HIGH POC
8.8 Jun 04

SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL com

CVE-2017-9379 HIGH POC
8.8 Jun 02

Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-st

CVE-2017-9365 HIGH POC
8.8 Jun 02

CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/p

CVE-2017-7881 HIGH POC
8.8 Apr 15

BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this

CVE-2018-17341 HIGH POC
8.1 Sep 23

BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authent

CVE-2013-4879 HIGH POC
7.5 Aug 14

SQL injection vulnerability in core/inc/bigtree/cms.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to ex

CVE-2017-9428 HIGH POC
7.5 Jun 04

A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS throu

Share

CVE-2018-18308 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy