SQL Injection Vulnerability in BigTree CMS 4.2.18: Remote Code Execution via core/admin/modules/developer/modules/views/create.php

CVE-2017-9449 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:P/A:P

SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary SQL commands via core/admin/modules/developer/modules/views/create.php. The attacker creates a crafted table name at admin/developer/modules/views/create/ and the injection is visible at admin/ajax/auto-modules/views/searchable-page/ or admin/modules_name.

Learn more about our Cms Pen Testing.