Arbitrary Web Script Injection in BigTree CMS through 4.2.18

Arbitrary Web Script Injection in BigTree CMS through 4.2.18

CVE-2017-9441 · LOW Severity

AV:N/AC:M/AU:S/C:N/I:P/A:N

Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the (1) title or (2) version or (3) author_name parameter in manifest.json. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files.

Learn more about our Web App Pen Testing.