PT-2017-18889 · Bigtree · Bigtree Cms

Xfkxfk

Published

2017-06-02

Updated

2017-06-06

CVE-2017-9379

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions BigTree CMS versions prior to 4.2.19

Description The issue concerns multiple CSRF problems. Specifically, the clear parameter to "core/admin/modules/dashboard/vitals-statistics/404/clear.php" and the from or to parameters to "core/admin/modules/dashboard/vitals-statistics/404/create-301.php" are affected.

Recommendations For BigTree CMS versions prior to 4.2.19, update to version 4.2.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the "core/admin/modules/dashboard/vitals-statistics/404/clear.php" and "core/admin/modules/dashboard/vitals-statistics/404/create-301.php" endpoints to minimize the risk of exploitation. Avoid using the clear, from, and to parameters in the affected API endpoints until the issue is resolved.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2017-9379

Affected Products

Bigtree Cms

PT-2017-18889 · Bigtree · Bigtree Cms

CVE-2017-9379

Weakness Enumeration

Related Identifiers

Affected Products

References · 4