CVE-2020-26669

Name of the Vulnerable Software and Affected Versions BigTree CMS versions 4.4.10 and earlier

Description A stored cross-site scripting (XSS) vulnerability was discovered in BigTree CMS, which allows an authenticated attacker to execute arbitrary web scripts or HTML via the page content to "site/index.php/admin/pages/update". The vulnerability is related to the lack of input data sanitization in the "site/index.php/admin/pages/update" component. This could enable a remote attacker to perform cross-site scripting attacks.

Recommendations For BigTree CMS versions 4.4.10 and earlier, as a temporary workaround, consider disabling access to the "site/index.php/admin/pages/update" page until a patch is available. Restrict the ability to update page content to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.