Skip to main content

Bigtree Cms

40 CVEs product

Monthly

CVE-2023-44954 MEDIUM POC This Month

Cross Site Scripting vulnerability in BigTree CMS v.4.5.7 allows a remote attacker to execute arbitrary code via the ID parameter in the Developer Settings functions. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Bigtree Cms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-36197 MEDIUM POC This Month

BigTree CMS 4.4.16 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted PDF file. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS File Upload Bigtree Cms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2018-18380 MEDIUM PATCH This Month

A Session Fixation issue was discovered in Bigtree before 4.2.24. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure PHP Bigtree Cms
NVD GitHub
CVSS 3.0
5.4
EPSS
1.1%
CVE-2018-18308 MEDIUM POC PATCH This Month

In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Bigtree Cms
NVD GitHub Exploit-DB
CVSS 3.0
6.1
EPSS
3.6%
CVE-2018-17341 HIGH POC This Week

BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authentication via a ..\ substring, as demonstrated by a. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Authentication Bypass Microsoft PHP Bigtree Cms
NVD GitHub
CVSS 3.0
8.1
EPSS
1.9%
CVE-2018-17030 HIGH POC This Week

BigTree CMS 4.2.23 allows remote authenticated users, if possessing privileges to set hooks, to execute arbitrary code via /core/admin/auto-modules/forms/process.php. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Code Injection RCE PHP Bigtree Cms
NVD GitHub
CVSS 3.0
7.5
EPSS
2.3%
CVE-2018-1000521 MEDIUM POC This Month

BigTree-CMS contains a Cross Site Scripting (XSS) vulnerability in /users/create that can result in The low-privileged users can use this vulnerability to attack high-privileged(Developer) users.. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Bigtree Cms
NVD GitHub
CVSS 3.0
6.1
EPSS
0.9%
CVE-2018-10364 MEDIUM PATCH This Month

BigTree before 4.2.22 has XSS in the Users management page via the name or company field. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Bigtree Cms
NVD GitHub
CVSS 3.0
5.4
EPSS
0.8%
CVE-2018-10574 CRITICAL POC PATCH Act Now

site/index.php/admin/trees/add/ in BigTree 4.2.22 and earlier allows remote attackers to upload and execute arbitrary PHP code because the BigTreeStorage class in core/inc/bigtree/apis/storage.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection RCE PHP Bigtree Cms
NVD GitHub
CVSS 3.0
9.8
EPSS
2.2%
CVE-2018-10183 MEDIUM POC This Month

An issue was discovered in BigTree 4.2.22. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Bigtree Cms
NVD GitHub
CVSS 3.0
6.1
EPSS
0.7%
CVE-2018-6013 MEDIUM POC This Month

Cross-site scripting (XSS) in BigTree 4.2.19 allows any remote users to inject arbitrary web script or HTML via the directory parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Bigtree Cms
NVD GitHub
CVSS 3.0
5.4
EPSS
0.8%
CVE-2017-16961 MEDIUM POC This Month

A SQL injection vulnerability in core/inc/auto-modules.php in BigTree CMS through 4.2.19 allows remote authenticated attackers to obtain information in the context of the user used by the application. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Bigtree Cms
NVD GitHub
CVSS 3.0
6.5
EPSS
0.2%
CVE-2017-11736 HIGH PATCH This Week

SQL injection vulnerability in core\admin\auto-modules\forms\process.php in BigTree 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via the tags array parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi PHP Bigtree Cms
NVD GitHub
CVSS 3.0
8.8
EPSS
0.3%
CVE-2017-9548 MEDIUM PATCH This Month

admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching a Home Template Edit. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS PHP Bigtree Cms
NVD GitHub
CVSS 3.0
5.4
EPSS
0.1%
CVE-2017-9547 MEDIUM PATCH This Month

admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching an Edit Page action and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS PHP Bigtree Cms
NVD GitHub
CVSS 3.0
5.4
EPSS
0.1%
CVE-2017-9546 MEDIUM PATCH This Month

admin.php in BigTree through 4.2.18 allows remote authenticated users to cause a denial of service (inability to save revisions) via XSS sequences in a revision name. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Denial Of Service PHP Bigtree Cms
NVD GitHub
CVSS 3.0
5.7
EPSS
0.4%
CVE-2017-9449 HIGH PATCH This Week

SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi PHP Bigtree Cms
NVD GitHub
CVSS 3.0
8.8
EPSS
0.3%
CVE-2017-9448 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML via the description parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS PHP Bigtree Cms
NVD GitHub
CVSS 3.0
5.4
EPSS
0.1%
CVE-2017-9444 HIGH PATCH This Week

BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the index.php/admin/developer/packages/delete/ URI (remove packages),. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF PHP Bigtree Cms
NVD GitHub
CVSS 3.0
8.8
EPSS
0.1%
CVE-2017-9443 HIGH POC This Week

BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Bigtree Cms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2017-9442 HIGH POC This Week

BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell, related to extraction of a ZIP archive to filename. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection PHP Bigtree Cms
NVD GitHub
CVSS 3.0
8.8
EPSS
2.1%
CVE-2017-9441 LOW PATCH Monitor

Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

XSS PHP Bigtree Cms
NVD GitHub
CVSS 3.1
2.7
EPSS
0.2%
CVE-2017-9428 HIGH POC This Week

A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS through 4.2.18 on Windows, allowing attackers to read arbitrary files via ..\. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Microsoft PHP Bigtree Cms
NVD GitHub
CVSS 3.0
7.5
EPSS
0.4%
CVE-2017-9427 HIGH POC This Week

SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core\admin\modules\developer\modules\designer\form-create.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Bigtree Cms
NVD GitHub
CVSS 3.0
8.8
EPSS
0.4%
CVE-2017-9379 HIGH POC This Week

Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-statistics\404\clear.php and the from or to parameter to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP Bigtree Cms
NVD GitHub
CVSS 3.0
8.8
EPSS
0.1%
CVE-2017-9378 MEDIUM POC PATCH This Month

BigTree CMS through 4.2.18 does not prevent a user from deleting their own account. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Bigtree Cms
NVD GitHub
CVSS 3.0
6.5
EPSS
0.1%
CVE-2017-9365 HIGH POC PATCH This Week

CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/pages/revisions/1/?force=false. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF PHP Bigtree Cms
NVD GitHub
CVSS 3.0
8.8
EPSS
0.1%
CVE-2017-9364 CRITICAL POC PATCH Act Now

Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file, they could bypass a safety check and execute any code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

File Upload Bigtree Cms
NVD GitHub
CVSS 3.0
9.8
EPSS
0.3%
CVE-2017-7881 HIGH POC PATCH This Week

BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF PHP Bigtree Cms
NVD GitHub
CVSS 3.0
8.8
EPSS
0.1%
CVE-2017-7695 CRITICAL POC PATCH Act Now

Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they could bypass a safety check and execute any code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP File Upload Bigtree Cms
NVD GitHub
CVSS 3.0
9.8
EPSS
0.4%
CVE-2017-6918 MEDIUM POC PATCH This Month

CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Bigtree Cms
NVD GitHub
CVSS 3.0
4.3
EPSS
0.1%
CVE-2017-6917 MEDIUM POC PATCH This Month

CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Bigtree Cms
NVD GitHub
CVSS 3.0
4.3
EPSS
0.1%
CVE-2017-6916 MEDIUM POC PATCH This Month

CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to the admin/settings/update/ page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Bigtree Cms
NVD GitHub
CVSS 3.0
4.3
EPSS
0.1%
CVE-2017-6915 MEDIUM POC PATCH This Month

CSRF exists in BigTree CMS 4.1.18 with the colophon parameter to the admin/settings/update/ page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Bigtree Cms
NVD GitHub
CVSS 3.0
4.3
EPSS
0.1%
CVE-2017-6914 HIGH POC PATCH This Week

CSRF exists in BigTree CMS 4.1.18 and 4.2.16 with the id parameter to the admin/ajax/users/delete/ page. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Bigtree Cms
NVD GitHub
CVSS 3.0
7.1
EPSS
0.1%
CVE-2016-10223 MEDIUM PATCH This Month

An issue was discovered in BigTree CMS before 4.2.15. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass PHP Bigtree Cms
NVD GitHub
CVSS 3.0
5.4
EPSS
0.1%
CVE-2013-5313 MEDIUM POC PATCH This Month

Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/update.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to hijack the authentication of administrators for. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

CSRF PHP Bigtree Cms
NVD GitHub
CVSS 2.0
6.8
EPSS
0.1%
CVE-2013-4881 MEDIUM POC This Month

Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/create.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to hijack the authentication of administrators for. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF PHP Bigtree Cms
NVD GitHub Exploit-DB
CVSS 2.0
6.8
EPSS
0.3%
CVE-2013-4880 MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in core/admin/modules/developer/modules/views/add.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to inject arbitrary web script or HTML via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

PHP XSS Bigtree Cms
NVD Exploit-DB GitHub
CVSS 2.0
4.3
EPSS
4.5%
CVE-2013-4879 HIGH POC PATCH This Week

SQL injection vulnerability in core/inc/bigtree/cms.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to index.php. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP SQLi Bigtree Cms
NVD Exploit-DB GitHub
CVSS 2.0
7.5
EPSS
1.1%
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Cross Site Scripting vulnerability in BigTree CMS v.4.5.7 allows a remote attacker to execute arbitrary code via the ID parameter in the Developer Settings functions. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Bigtree Cms
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

BigTree CMS 4.4.16 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted PDF file. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS File Upload +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

A Session Fixation issue was discovered in Bigtree before 4.2.24. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Session Fixation Information Disclosure PHP +1
NVD GitHub
EPSS 4% CVSS 6.1
MEDIUM POC PATCH This Month

In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area). Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Bigtree Cms
NVD GitHub Exploit-DB
EPSS 2% CVSS 8.1
HIGH POC This Week

BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authentication via a ..\ substring, as demonstrated by a. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Authentication Bypass Microsoft PHP +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC This Week

BigTree CMS 4.2.23 allows remote authenticated users, if possessing privileges to set hooks, to execute arbitrary code via /core/admin/auto-modules/forms/process.php. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Code Injection RCE PHP +1
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

BigTree-CMS contains a Cross Site Scripting (XSS) vulnerability in /users/create that can result in The low-privileged users can use this vulnerability to attack high-privileged(Developer) users.. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Bigtree Cms
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

BigTree before 4.2.22 has XSS in the Users management page via the name or company field. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Bigtree Cms
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

site/index.php/admin/trees/add/ in BigTree 4.2.22 and earlier allows remote attackers to upload and execute arbitrary PHP code because the BigTreeStorage class in core/inc/bigtree/apis/storage.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection RCE PHP +1
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

An issue was discovered in BigTree 4.2.22. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Bigtree Cms
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Cross-site scripting (XSS) in BigTree 4.2.19 allows any remote users to inject arbitrary web script or HTML via the directory parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Bigtree Cms
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Month

A SQL injection vulnerability in core/inc/auto-modules.php in BigTree CMS through 4.2.19 allows remote authenticated attackers to obtain information in the context of the user used by the application. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Bigtree Cms
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQL injection vulnerability in core\admin\auto-modules\forms\process.php in BigTree 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via the tags array parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi PHP Bigtree Cms
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching a Home Template Edit. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS PHP Bigtree Cms
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject arbitrary web script or HTML by launching an Edit Page action and. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS PHP Bigtree Cms
NVD GitHub
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

admin.php in BigTree through 4.2.18 allows remote authenticated users to cause a denial of service (inability to save revisions) via XSS sequences in a revision name. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Denial Of Service PHP +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

SQLi PHP Bigtree Cms
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML via the description parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

XSS PHP Bigtree Cms
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the index.php/admin/developer/packages/delete/ URI (remove packages),. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF PHP Bigtree Cms
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Bigtree Cms
NVD GitHub
EPSS 2% CVSS 8.8
HIGH POC This Week

BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell, related to extraction of a ZIP archive to filename. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection PHP +1
NVD GitHub
EPSS 0% CVSS 2.7
LOW PATCH Monitor

Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

XSS PHP Bigtree Cms
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS through 4.2.18 on Windows, allowing attackers to read arbitrary files via ..\. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Microsoft PHP +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core\admin\modules\developer\modules\designer\form-create.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi PHP Bigtree Cms
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-statistics\404\clear.php and the from or to parameter to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF PHP Bigtree Cms
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

BigTree CMS through 4.2.18 does not prevent a user from deleting their own account. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Bigtree Cms
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/pages/revisions/1/?force=false. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF PHP Bigtree Cms
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file, they could bypass a safety check and execute any code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

File Upload Bigtree Cms
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF PHP Bigtree Cms
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they could bypass a safety check and execute any code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP File Upload Bigtree Cms
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Bigtree Cms
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Bigtree Cms
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to the admin/settings/update/ page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Bigtree Cms
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM POC PATCH This Month

CSRF exists in BigTree CMS 4.1.18 with the colophon parameter to the admin/settings/update/ page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Bigtree Cms
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

CSRF exists in BigTree CMS 4.1.18 and 4.2.16 with the id parameter to the admin/ajax/users/delete/ page. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Bigtree Cms
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

An issue was discovered in BigTree CMS before 4.2.15. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass PHP Bigtree Cms
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM POC PATCH This Month

Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/update.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to hijack the authentication of administrators for. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available.

CSRF PHP Bigtree Cms
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM POC This Month

Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/create.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to hijack the authentication of administrators for. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF PHP Bigtree Cms
NVD GitHub Exploit-DB
EPSS 5% CVSS 4.3
MEDIUM POC PATCH This Month

Cross-site scripting (XSS) vulnerability in core/admin/modules/developer/modules/views/add.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to inject arbitrary web script or HTML via. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.

PHP XSS Bigtree Cms
NVD Exploit-DB GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

SQL injection vulnerability in core/inc/bigtree/cms.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to execute arbitrary SQL commands via the PATH_INFO to index.php. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP SQLi Bigtree Cms
NVD Exploit-DB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy