SQL Injection Vulnerability in BigTree CMS through 4.2.18

SQL Injection Vulnerability in BigTree CMS through 4.2.18

CVE-2017-9443 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:P/A:P

BigTree CMS through 4.2.18 allows remote authenticated users to conduct SQL injection attacks via a crafted tables object in manifest.json in an uploaded package. This issue exists in core\admin\modules\developer\extensions\install\process.php and core\admin\modules\developer\packages\install\process.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files.

Learn more about our Cis Benchmark Audit For Microsoft Sql Server.