Skip to main content

Bigtree Cms CVE-2023-44954

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-11-01 cve@mitre.org
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 01, 2023 - 23:15 nvd
MEDIUM 5.4

DescriptionNVD

Cross Site Scripting vulnerability in BigTree CMS v.4.5.7 allows a remote attacker to execute arbitrary code via the ID parameter in the Developer Settings functions.

AnalysisAI

Cross Site Scripting vulnerability in BigTree CMS v.4.5.7 allows a remote attacker to execute arbitrary code via the ID parameter in the Developer Settings functions. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Cross Site Scripting vulnerability in BigTree CMS v.4.5.7 allows a remote attacker to execute arbitrary code via the ID parameter in the Developer Settings functions. Affected products include: Bigtreecms Bigtree Cms.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2017-7695 CRITICAL POC
9.8 Apr 11

Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they coul

CVE-2017-9364 CRITICAL POC
9.8 Jun 02

Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file,

CVE-2018-10574 CRITICAL POC
9.8 Apr 30

site/index.php/admin/trees/add/ in BigTree 4.2.22 and earlier allows remote attackers to upload and execute arbitrary PH

CVE-2017-9442 HIGH POC
8.8 Jun 05

BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package co

CVE-2017-9443 HIGH POC
8.8 Jun 05

BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables objec

CVE-2017-9427 HIGH POC
8.8 Jun 04

SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL com

CVE-2017-9379 HIGH POC
8.8 Jun 02

Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-st

CVE-2017-9365 HIGH POC
8.8 Jun 02

CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/p

CVE-2017-7881 HIGH POC
8.8 Apr 15

BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this

CVE-2018-17341 HIGH POC
8.1 Sep 23

BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authent

CVE-2013-4879 HIGH POC
7.5 Aug 14

SQL injection vulnerability in core/inc/bigtree/cms.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to ex

CVE-2017-9428 HIGH POC
7.5 Jun 04

A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS throu

Share

CVE-2023-44954 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy