BigTree-CMS 4.2.x < 4.2.9 Multiple Vulnerabilities
Medium Nessus Network Monitor Plugin ID 9556
SynopsisThe version of BigTree-CMS running on the remote server is affected by multiple vulnerabilities.
DescriptionThe version of BigTree-CMS installed on the remote host is 4.2.x prior to 4.2.9 and is affected by multiple vulnerabilities :
- A flaw exists in the 'core/admin/auto-modules/forms/process.php' script that is triggered as input passed via the 'view_data' parameter is not properly sanitized. This may allow an authenticated remote attacker to inject arbitrary PHP objects and conduct an XSS attack. (OSVDB 135945)
- An unspecified flaw exists in the '/core/inc/bigtree/utils.php' script that may allow an authenticated remote attacker with administrator privileges to elevate their privileges to developer for the remainder of their session. No further details have been provided by the vendor. (OSVDB 135946)
SolutionUpgrade to BigTree-CMS version 4.2.9 or later.