CVE-2017-9443

Name of the Vulnerable Software and Affected Versions BigTree CMS versions 4.2.18 and earlier

Description The issue allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. This issue exists in coreadminmodulesdeveloperextensionsinstallprocess.php and coreadminmodulesdeveloperpackagesinstallprocess.php. The vendor notes that any installed package or extension must be implicitly trusted as they have the ability to write PHP files.

Recommendations For BigTree CMS versions 4.2.18 and earlier, update to a version later than 4.2.18 to resolve the issue. As a temporary workaround, consider restricting the upload of packages and extensions to trusted sources only, and avoid using the tables object in manifest.json until a patch is available. Restrict access to the vulnerable process.php files in the coreadminmodulesdeveloperextensionsinstall and coreadminmodulesdeveloperpackagesinstall directories to minimize the risk of exploitation.