CVE-2017-16961

Name of the Vulnerable Software and Affected Versions BigTree CMS versions prior to 4.2.20

Description A SQL injection issue allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The attack involves an admin/trees/add/process request with a crafted tags[] parameter that is mishandled in a later admin/ajax/dashboard/approve-change request.

Recommendations For BigTree CMS versions prior to 4.2.20, update to version 4.2.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin/trees/add/process and admin/ajax/dashboard/approve-change requests to minimize the risk of exploitation. Avoid using the tags[] parameter in the affected requests until the issue is resolved.