Bigtreecms Bigtree Cms — known CVE vulnerabilities
Every CVE whose affected-product data names Bigtreecms Bigtree Cms, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (44)
CVE-2017-9364 — CVSS 9.8 (critical): Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file, they could bypass a…
CVE-2017-7695 — CVSS 9.8 (critical): Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they could bypass a safety…
CVE-2018-10574 — CVSS 9.8 (critical): site/index.php/admin/trees/add/ in BigTree 4.2.22 and earlier allows remote attackers to upload and execute arbitrary PHP code because the…
CVE-2017-11736 — CVSS 8.8 (high): SQL injection vulnerability in core\admin\auto-modules\forms\process.php in BigTree 4.2.18 allows remote authenticated users to execute…
CVE-2017-9449 — CVSS 8.8 (high): SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via…
CVE-2017-9365 — CVSS 8.8 (high): CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/pages/revisions/1/?fo…
CVE-2017-9443 — CVSS 8.8 (high): BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json…
CVE-2017-9442 — CVSS 8.8 (high): BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web…
CVE-2017-9427 — CVSS 8.8 (high): SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via…
CVE-2017-9379 — CVSS 8.8 (high): Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-statistics\404\clear.p…
CVE-2017-7881 — CVSS 8.8 (high): BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing…
CVE-2017-9444 — CVSS 8.8 (high): BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the…
CVE-2020-26670 — CVSS 8.8 (high): A vulnerability has been discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker to execute arbitrary commands…
CVE-2020-26668 — CVSS 8.8 (high): A SQL injection vulnerability was discovered in /core/feeds/custom.php in BigTree CMS 4.4.10 and earlier which allows an authenticated…
CVE-2018-17341 — CVSS 8.1 (high): BigTree 4.2.23 on Windows, when Advanced or Simple Rewrite routing is enabled, allows remote attackers to bypass authentication via a ..\…
CVE-2013-4879 — CVSS 7.5 (high): SQL injection vulnerability in core/inc/bigtree/cms.php in BigTree CMS 4.0 RC2 and earlier allows remote attackers to execute arbitrary SQL…
CVE-2017-9428 — CVSS 7.5 (high): A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS through 4.2.18 on…
CVE-2018-17030 — CVSS 7.5 (high): BigTree CMS 4.2.23 allows remote authenticated users, if possessing privileges to set hooks, to execute arbitrary code via…
CVE-2017-6914 — CVSS 7.1 (high): CSRF exists in BigTree CMS 4.1.18 and 4.2.16 with the id parameter to the admin/ajax/users/delete/ page. A user can be deleted.
CVE-2013-5313 — CVSS 6.8 (medium): Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/update.php in BigTree CMS 4.0 RC2 and earlier allows remote…
CVE-2013-4881 — CVSS 6.8 (medium): Cross-site request forgery (CSRF) vulnerability in core/admin/modules/users/create.php in BigTree CMS 4.0 RC2 and earlier allows remote…
CVE-2017-9378 — CVSS 6.5 (medium): BigTree CMS through 4.2.18 does not prevent a user from deleting their own account. This could have security relevance because deletion was…
CVE-2017-16961 — CVSS 6.5 (medium): A SQL injection vulnerability in core/inc/auto-modules.php in BigTree CMS through 4.2.19 allows remote authenticated attackers to obtain…
CVE-2018-1000521 — CVSS 6.1 (medium): BigTree-CMS contains a Cross Site Scripting (XSS) vulnerability in /users/create that can result in The low-privileged users can use this…
CVE-2018-10183 — CVSS 6.1 (medium): An issue was discovered in BigTree 4.2.22. There is cross-site scripting (XSS) in /core/inc/lib/less.php/test/index.php because of a…
CVE-2018-18308 — CVSS 6.1 (medium): In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload…
CVE-2017-9546 — CVSS 5.7 (medium): admin.php in BigTree through 4.2.18 allows remote authenticated users to cause a denial of service (inability to save revisions) via XSS…
CVE-2018-18380 — CVSS 5.4 (medium): A Session Fixation issue was discovered in Bigtree before 4.2.24. admin.php accepts a user-provided PHP session ID instead of regenerating…
CVE-2020-18467 — CVSS 5.4 (medium): Cross Site Scripting (XSS) vulnerabilty exists in BigTree-CMS 4.4.3 in the tag name field found in the Tags page under the General menu via…
CVE-2018-6013 — CVSS 5.4 (medium): Cross-site scripting (XSS) in BigTree 4.2.19 allows any remote users to inject arbitrary web script or HTML via the directory parameter…
CVE-2020-26669 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability was discovered in BigTree CMS 4.4.10 and earlier which allows an authenticated attacker…
CVE-2022-36197 — CVSS 5.4 (medium): BigTree CMS 4.4.16 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a…
CVE-2017-9448 — CVSS 5.4 (medium): Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or…
CVE-2017-9547 — CVSS 5.4 (medium): admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject…
CVE-2017-9548 — CVSS 5.4 (medium): admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) vulnerability, which allows remote authenticated users to inject…
CVE-2016-10223 — CVSS 5.4 (medium): An issue was discovered in BigTree CMS before 4.2.15. The vulnerability exists due to insufficient filtration of user-supplied data in the…
CVE-2023-44954 — CVSS 5.4 (medium): Cross Site Scripting vulnerability in BigTree CMS v.4.5.7 allows a remote attacker to execute arbitrary code via the ID parameter in the…
CVE-2017-6918 — CVSS 4.3 (medium): CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page. The Navigation Social can be changed.
CVE-2017-6916 — CVSS 4.3 (medium): CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to the admin/settings/update/ page. The Navigation Social can be changed.
CVE-2017-6915 — CVSS 4.3 (medium): CSRF exists in BigTree CMS 4.1.18 with the colophon parameter to the admin/settings/update/ page. The Colophon can be changed.
CVE-2013-4880 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in core/admin/modules/developer/modules/views/add.php in BigTree CMS 4.0 RC2 and earlier allows…
CVE-2017-6917 — CVSS 4.3 (medium): CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. The Colophon can be changed.
CVE-2017-9441 — CVSS 2.7 (low): Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web…