icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

BigTree-CMS 4.1.x < 4.1.9 XSS

Medium

Synopsis

The version of BigTree-CMS running on the remote server is affected by a XSS vulnerability.

Description

The version of BigTree-CMS installed on the remote host is 4.1.x prior to 4.1.9 and is affected by a vulnerability that allows a stored XSS attack. This flaw exists because the user creation process does not validate input supplied as username and company name before returning it to users. This may allow a remote, authenticated attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

Solution

Upgrade to BigTree-CMS version 4.1.9 or later.