BigTree-CMS 4.2.x < 4.2.9 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 9556

Synopsis

The version of BigTree-CMS running on the remote server is affected by multiple vulnerabilities.

Description

The version of BigTree-CMS installed on the remote host is 4.2.x prior to 4.2.9 and is affected by multiple vulnerabilities :

- A flaw exists in the 'core/admin/auto-modules/forms/process.php' script that is triggered as input passed via the 'view_data' parameter is not properly sanitized. This may allow an authenticated remote attacker to inject arbitrary PHP objects and conduct an XSS attack.
- An unspecified flaw exists in the '/core/inc/bigtree/utils.php' script that may allow an authenticated remote attacker with administrator privileges to elevate their privileges to developer for the remainder of their session. No further details have been provided by the vendor.

Solution

Upgrade to BigTree-CMS version 4.2.9 or later.

See Also

https://github.com/bigtreecms/BigTree-CMS/blob/4.2-devel/README.md#429-release

Plugin Details

Severity: Medium

ID: 9556

Family: CGI

Published: 9/9/2016

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS v3

Risk Factor: Medium

Base Score: 6.3

Temporal Score: 6

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:bigtreecms:bigtree_cms

Patch Publication Date: 2/12/2016

Vulnerability Publication Date: 1/21/2016