Hazzel-Cno

Name of the Vulnerable Software and Affected Versions: BigTree versions prior to 4.2.22 Description: The issue concerns a problem with the Users management page, where input in the `name` or `company` field is not properly sanitized, leading to potential XSS issues. Recommendations: For versions prior to 4.2.22, update to version 4.2.22 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: BigTree versions 4.2.22 and earlier Description: The issue allows remote attackers to upload and execute arbitrary PHP code. This is because the BigTreeStorage class in core/inc/bigtree/apis/storage.php does not prevent uploads of .htaccess files, which can be exploited to execute malicious code. The API endpoint "site/index.php/admin/trees/add/" is specifically vulnerable to this attack. Recommendations: For BigTree versions 4.2.22 and earlier, consider disabling the "site/index.php/admin/trees/add/" endpoint until a patch is available to prevent the upload and execution of arbitrary PHP code. Additionally, restrict access to the BigTreeStorage class in core/inc/bigtree/apis/storage.php to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.