BigTree-CMS 4.2.x < 4.2.9 Multiple Vulnerabilities

Medium Nessus Network Monitor Plugin ID 9556


The version of BigTree-CMS running on the remote server is affected by multiple vulnerabilities.


The version of BigTree-CMS installed on the remote host is 4.2.x prior to 4.2.9 and is affected by multiple vulnerabilities :

- A flaw exists in the 'core/admin/auto-modules/forms/process.php' script that is triggered as input passed via the 'view_data' parameter is not properly sanitized. This may allow an authenticated remote attacker to inject arbitrary PHP objects and conduct an XSS attack. (OSVDB 135945)
- An unspecified flaw exists in the '/core/inc/bigtree/utils.php' script that may allow an authenticated remote attacker with administrator privileges to elevate their privileges to developer for the remainder of their session. No further details have been provided by the vendor. (OSVDB 135946)


Upgrade to BigTree-CMS version 4.2.9 or later.

See Also

Plugin Details

Severity: Medium

ID: 9556

File Name: 9556.prm

Family: CGI

Published: 2016/09/09

Modified: 2016/09/16

Dependencies: 9436

Risk Information

Risk Factor: Medium


Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C


Base Score: 6.2

Temporal Score: 5.9


Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:bigtreecms:bigtree_cms

Patch Publication Date: 2016/02/12

Vulnerability Publication Date: 2016/01/21

Reference Information

OSVDB: 135945, 135946