CVE-2017-9365

Name of the Vulnerable Software and Affected Versions BigTree CMS versions prior to 4.2.19

Description The issue exists due to a CSRF flaw. It can be exploited through the "force" parameter to the "/admin/pages/revisions.php" API endpoint, such as "/admin/pages/revisions/1/?force=false", allowing an attacker to unlock a page with a specific id, for example, id=1.

Recommendations For BigTree CMS versions prior to 4.2.19, update to version 4.2.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/admin/pages/revisions.php" API endpoint to minimize the risk of exploitation. Avoid using the force parameter in the affected API endpoint until the issue is resolved.