CVE-2018-6013

Name of the Vulnerable Software and Affected Versions: BigTree version 4.2.19

Description: The issue allows remote users to inject arbitrary web script or HTML via the directory parameter in the /core/admin/ajax/developer/extensions/file-browser.php API endpoint. This is a cross-site scripting (XSS) issue.

Recommendations: For BigTree version 4.2.19, as a temporary workaround, consider restricting access to the /core/admin/ajax/developer/extensions/file-browser.php API endpoint until a patch is available. Avoid using the directory parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.