CVE-2017-9441

Name of the Vulnerable Software and Affected Versions BigTree CMS versions through 4.2.18

Description Multiple cross-site scripting (XSS) vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package. The issue is triggered by mishandling of the title, version, or author name parameter in manifest.json. This exists in coreadminmodulesdeveloperextensionsinstallunpack.php and coreadminmodulesdeveloperpackagesinstallunpack.php. The vendor notes that any installed package or extension must be implicitly trusted as they can write PHP files.

Recommendations For BigTree CMS versions through 4.2.18, consider disabling the package installation feature until a patch is available to prevent exploitation of the title, version, and author name parameters in manifest.json. Restrict access to the coreadminmodulesdeveloperextensionsinstallunpack.php and coreadminmodulesdeveloperpackagesinstallunpack.php files to minimize the risk of arbitrary web script or HTML injection. Avoid using the title, version, and author name parameters in the affected manifest.json files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.