Description
CSRF exists in BigTree CMS through 4.2.18 with the force parameter to /admin/pages/revisions.php - for example: /admin/pages/revisions/1/?force=false. A page with id=1 can be unlocked.
References (2)
Core 2
Core References
Exploit, Issue Tracking, Patch x_refsource_confirm
https://github.com/bigtreecms/BigTree-CMS/issues/281
Patch x_refsource_confirm
https://github.com/bigtreecms/BigTree-CMS/commit/c17d09b05d9c20c214ee2f4fbb52f7307a7b4b6f
Scores
CVSS v3
8.8
EPSS
0.0011
EPSS Percentile
29.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (1)
bigtreecms/bigtree_cms
< 4.2.18
Published
Jun 02, 2017
Tracked Since
Feb 18, 2026