Xfkxfk

**Name of the Vulnerable Software and Affected Versions** BigTree CMS versions prior to 4.2.19 **Description** The issue allows remote authenticated users to inject arbitrary web script or HTML via the `description` parameter. This exists in coreadminajaxpagessave-revision.php and coreadminmodulespagesrevisions.php, enabling low-privileged users, such as administrators, to attack high-privileged users, like Developers. **Recommendations** For BigTree CMS versions prior to 4.2.19, update to version 4.2.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the `description` parameter in the affected API endpoints until a patch is available.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS versions prior to 4.2.19 **Description** The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved by creating a crafted table name at the "admin/developer/modules/views/create/" endpoint and the injection is visible at the "admin/ajax/auto-modules/views/searchable-page/" or "admin/modules name" endpoints. The estimated number of potentially affected devices worldwide is not available. **Recommendations** For BigTree CMS versions prior to 4.2.19, update to version 4.2.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the "core/admin/modules/developer/modules/views/create.php" file until a patch is available. Avoid using the vulnerable endpoint "admin/developer/modules/views/create/" until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS versions through 4.2.18 **Description** Multiple cross-site scripting (XSS) vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package. The issue is triggered by mishandling of the `title`, `version`, or `author name` parameter in manifest.json. This exists in coreadminmodulesdeveloperextensionsinstallunpack.php and coreadminmodulesdeveloperpackagesinstallunpack.php. The vendor notes that any installed package or extension must be implicitly trusted as they can write PHP files. **Recommendations** For BigTree CMS versions through 4.2.18, consider disabling the package installation feature until a patch is available to prevent exploitation of the `title`, `version`, and `author name` parameters in manifest.json. Restrict access to the coreadminmodulesdeveloperextensionsinstallunpack.php and coreadminmodulesdeveloperpackagesinstallunpack.php files to minimize the risk of arbitrary web script or HTML injection. Avoid using the `title`, `version`, and `author name` parameters in the affected manifest.json files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS versions 4.2.18 and earlier **Description** The issue allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell. This is related to the extraction of a ZIP archive to filename patterns such as `cache/package/xxx/yyy.php`. The problem exists in files `coreadminmodulesdeveloperextensionsinstallunpack.php` and `coreadminmodulesdeveloperpackagesinstallunpack.php`. The vendor notes that any installed package or extension must be implicitly trusted as they have the ability to write PHP files. **Recommendations** For BigTree CMS versions 4.2.18 and earlier, consider disabling the package installation feature until a patch is available to prevent the upload of crafted packages. Restrict access to the `unpack.php` files in the `coreadminmodulesdeveloperextensionsinstall` and `coreadminmodulesdeveloperpackagesinstall` directories to minimize the risk of exploitation. Avoid using the package installation feature with untrusted packages, as they may contain PHP web shells. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS versions 4.2.18 and earlier **Description** The issue allows remote authenticated users to conduct SQL injection attacks via a crafted `tables` object in `manifest.json` in an uploaded package. This issue exists in `coreadminmodulesdeveloperextensionsinstallprocess.php` and `coreadminmodulesdeveloperpackagesinstallprocess.php`. The vendor notes that any installed package or extension must be implicitly trusted as they have the ability to write PHP files. **Recommendations** For BigTree CMS versions 4.2.18 and earlier, update to a version later than 4.2.18 to resolve the issue. As a temporary workaround, consider restricting the upload of packages and extensions to trusted sources only, and avoid using the `tables` object in `manifest.json` until a patch is available. Restrict access to the vulnerable `process.php` files in the `coreadminmodulesdeveloperextensionsinstall` and `coreadminmodulesdeveloperpackagesinstall` directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS versions prior to 4.2.19 **Description** The issue is related to CSRF, allowing modification of user information, removal of packages, ignoring versions, and setting FTP directories. Specifically, it affects the "core/admin/modules/users/profile/update.php" script, the "index.php/admin/developer/packages/delete/" URI, the "index.php/admin/developer/upgrade/ignore/?versions=" URI, and the "index.php/admin/developer/upgrade/set-ftp-directory/" URI. **Recommendations** For BigTree CMS versions prior to 4.2.19, update to version 4.2.19 or later to resolve the issue. As a temporary workaround, consider implementing CSRF protection measures, such as token-based validation, for the affected scripts and URIs. Restrict access to the vulnerable URIs, including "index.php/admin/developer/packages/delete/", "index.php/admin/developer/upgrade/ignore/?versions=", and "index.php/admin/developer/upgrade/set-ftp-directory/", to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS versions prior to 4.2.19 **Description** The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved by creating a crafted table name at the "admin/developer/modules/designer/" endpoint and the injection is visible at the "admin/dashboard/vitals-statistics/integrity/check/?external=true" endpoint. **Recommendations** For versions prior to 4.2.19, update to version 4.2.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the "coreadminmodulesdevelopermodulesdesignerform-create.php" module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS versions prior to 4.2.19 **Description** A directory traversal issue exists, allowing attackers to read arbitrary files via .. sequences in the `directory` parameter. This is due to a vulnerability in the coreadminajaxdeveloperextensionsfile-browser.php file. **Recommendations** For BigTree CMS versions prior to 4.2.19, update to version 4.2.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the file-browser.php file to minimize the risk of exploitation. Avoid using the `directory` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS versions prior to 4.2.19 **Description** The issue allows an attacker to bypass a safety check by uploading files with specific extensions, such as 'xxx.pht' or 'xxx.phtml', potentially leading to code execution. **Recommendations** For versions prior to 4.2.19, update to version 4.2.19 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS versions prior to 4.2.19 **Description** The issue exists due to a CSRF flaw. It can be exploited through the "force" parameter to the "/admin/pages/revisions.php" API endpoint, such as "/admin/pages/revisions/1/?force=false", allowing an attacker to unlock a page with a specific `id`, for example, `id=1`. **Recommendations** For BigTree CMS versions prior to 4.2.19, update to version 4.2.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/admin/pages/revisions.php" API endpoint to minimize the risk of exploitation. Avoid using the `force` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS versions prior to 4.2.19 **Description** The issue allows a user to delete their own account, which is supposed to be an admin-only action. This could have security implications as the admin may have other tasks to complete before a user is deleted, such as data backups. **Recommendations** For BigTree CMS versions prior to 4.2.19, update to version 4.2.19 or later to prevent users from deleting their own accounts. As a temporary workaround, consider restricting access to the account deletion feature until the update is applied.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS versions prior to 4.2.19 **Description** The issue concerns multiple CSRF problems. Specifically, the `clear` parameter to "core/admin/modules/dashboard/vitals-statistics/404/clear.php" and the `from` or `to` parameters to "core/admin/modules/dashboard/vitals-statistics/404/create-301.php" are affected. **Recommendations** For BigTree CMS versions prior to 4.2.19, update to version 4.2.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the "core/admin/modules/dashboard/vitals-statistics/404/clear.php" and "core/admin/modules/dashboard/vitals-statistics/404/create-301.php" endpoints to minimize the risk of exploitation. Avoid using the `clear`, `from`, and `to` parameters in the affected API endpoints until the issue is resolved.