Shodan
Vulnerabilities
Vulnerable Software
Bigtreecms:  >> Bigtree Cms  Security Vulnerabilities
CVE-2017-9364
Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file, they could bypass a safety check and execute any code.
CVSS Score
9.8
EPSS Score
0.003
Published
2017-06-02
CVE-2017-9365
CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/pages/revisions/1/?force=false. A page with id=1 can be unlocked.
CVSS Score
8.8
EPSS Score
0.001
Published
2017-06-02
CVE-2017-7881
BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header. This was found in core/admin/modules/developer/_header.php and patched in core/inc/bigtree/admin.php on 2017-04-14.
CVSS Score
8.8
EPSS Score
0.0
Published
2017-04-15
CVE-2017-7695
Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they could bypass a safety check and execute any code.
CVSS Score
9.8
EPSS Score
0.004
Published
2017-04-11
CVE-2017-6914
CSRF exists in BigTree CMS 4.1.18 and 4.2.16 with the id parameter to the admin/ajax/users/delete/ page. A user can be deleted.
CVSS Score
7.1
EPSS Score
0.001
Published
2017-03-15
CVE-2017-6915
CSRF exists in BigTree CMS 4.1.18 with the colophon parameter to the admin/settings/update/ page. The Colophon can be changed.
CVSS Score
4.3
EPSS Score
0.001
Published
2017-03-15
CVE-2017-6916
CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to the admin/settings/update/ page. The Navigation Social can be changed.
CVSS Score
4.3
EPSS Score
0.001
Published
2017-03-15
CVE-2017-6917
CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. The Colophon can be changed.
CVSS Score
4.3
EPSS Score
0.001
Published
2017-03-15
CVE-2017-6918
CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page. The Navigation Social can be changed.
CVSS Score
4.3
EPSS Score
0.001
Published
2017-03-15
CVE-2016-10223
An issue was discovered in BigTree CMS before 4.2.15. The vulnerability exists due to insufficient filtration of user-supplied data in the "id" HTTP GET parameter passed to the "core/admin/adjax/dashboard/check-module-integrity.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
CVSS Score
5.4
EPSS Score
0.001
Published
2017-02-14


Products
Pricing
Contact Us

Shodan ® - All rights reserved