This page lists publicly disclosed CVE vulnerabilities affecting bigtreecms bigtree_cms (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2017-9449 | SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php. The attacker creates a crafted table name at admin/developer/modules/views/create/ and the injection is visible at admin/ajax/auto-modules/views/searchable-page/ or admin/modules_name. | [email protected] | 8.8 | 1.07% | 2017-06-06 | 2026-06-16 |
| CVE-2017-9448 | Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML via the description parameter. This issue exists in core\admin\ajax\pages\save-revision.php and core\admin\modules\pages\revisions.php. Low-privileged (administrator) users can attack high-privileged (Developer) users. | [email protected] | 5.4 | 0.59% | 2017-06-06 | 2026-06-16 |
| CVE-2017-9444 | BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\users\profile\update.php script (modify user information), the index.php/admin/developer/packages/delete/ URI (remove packages), the index.php/admin/developer/upgrade/ignore/?versions= URI, and the index.php/admin/developer/upgrade/set-ftp-directory/ URI. | [email protected] | 8.8 | 0.45% | 2017-06-05 | 2026-06-16 |
| CVE-2017-9443 | BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. This issue exists in core\admin\modules\developer\extensions\install\process.php and core\admin\modules\developer\packages\install\process.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files. | [email protected] | 8.8 | 1.26% | 2017-06-05 | 2026-06-16 |
| CVE-2017-9442 | BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell, related to extraction of a ZIP archive to filename patterns such as cache/package/xxx/yyy.php. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability | [email protected] | 8.8 | 2.45% | 2017-06-05 | 2026-06-16 |
| CVE-2017-9441 | Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the (1) title or (2) version or (3) author_name parameter in manifest.json. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or exte | [email protected] | 2.7 | 0.60% | 2017-06-05 | 2026-06-16 |
| CVE-2017-9428 | A directory traversal vulnerability exists in core\admin\ajax\developer\extensions\file-browser.php in BigTree CMS through 4.2.18 on Windows, allowing attackers to read arbitrary files via ..\ sequences in the directory parameter. | [email protected] | 7.5 | 2.04% | 2017-06-04 | 2026-06-16 |
| CVE-2017-9427 | SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core\admin\modules\developer\modules\designer\form-create.php. The attacker creates a crafted table name at admin/developer/modules/designer/ and the injection is visible at admin/dashboard/vitals-statistics/integrity/check/?external=true. | [email protected] | 8.8 | 1.61% | 2017-06-04 | 2026-06-16 |
| CVE-2017-9379 | Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear parameter to core\admin\modules\dashboard\vitals-statistics\404\clear.php and the from or to parameter to core\admin\modules\dashboard\vitals-statistics\404\create-301.php. | [email protected] | 8.8 | 0.46% | 2017-06-02 | 2026-06-16 |
| CVE-2017-9378 | BigTree CMS through 4.2.18 does not prevent a user from deleting their own account. This could have security relevance because deletion was supposed to be an admin-only action, and the admin may have other tasks (such as data backups) to complete before a user is deleted. | [email protected] | 6.5 | 0.63% | 2017-06-02 | 2026-06-16 |
| CVE-2017-9365 | CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/pages/revisions/1/?force=false. A page with id=1 can be unlocked. | [email protected] | 8.8 | 0.47% | 2017-06-02 | 2026-06-16 |
| CVE-2017-9364 | Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an attacker uploads an 'xxx.pht' or 'xxx.phtml' file, they could bypass a safety check and execute any code. | [email protected] | 9.8 | 1.26% | 2017-06-02 | 2026-06-16 |
| CVE-2017-7881 | BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header. This was found in core/admin/modules/developer/_header.php and patched in core/inc/bigtree/admin.php on 2017-04-14. | [email protected] | 8.8 | 0.75% | 2017-04-15 | 2026-06-16 |
| CVE-2017-7695 | Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an attacker uploads an 'xxx.php[space]' file, they could bypass a safety check and execute any code. | [email protected] | 9.8 | 1.99% | 2017-04-11 | 2026-06-16 |
| CVE-2017-6918 | CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to the admin/settings/update/ page. The Navigation Social can be changed. | [email protected] | 4.3 | 0.39% | 2017-03-15 | 2026-06-16 |
| CVE-2017-6917 | CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admin/settings/update/ page. The Colophon can be changed. | [email protected] | 4.3 | 0.39% | 2017-03-15 | 2026-06-16 |
| CVE-2017-6916 | CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to the admin/settings/update/ page. The Navigation Social can be changed. | [email protected] | 4.3 | 0.39% | 2017-03-15 | 2026-06-16 |
| CVE-2017-6915 | CSRF exists in BigTree CMS 4.1.18 with the colophon parameter to the admin/settings/update/ page. The Colophon can be changed. | [email protected] | 4.3 | 0.39% | 2017-03-15 | 2026-06-16 |
| CVE-2017-6914 | CSRF exists in BigTree CMS 4.1.18 and 4.2.16 with the id parameter to the admin/ajax/users/delete/ page. A user can be deleted. | [email protected] | 7.1 | 0.38% | 2017-03-15 | 2026-06-16 |
| CVE-2016-10223 | An issue was discovered in BigTree CMS before 4.2.15. The vulnerability exists due to insufficient filtration of user-supplied data in the "id" HTTP GET parameter passed to the "core/admin/adjax/dashboard/check-module-integrity.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | [email protected] | 5.4 | 0.51% | 2017-02-14 | 2026-06-16 |