Description
In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area).
Exploits (1)
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/149788/BigTree-CMS-4.2.23-Cross-Site-Scripting.html
Third Party Advisory, VDB Entry exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/45628/
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/bigtreecms/BigTree-CMS/issues/356
Patch, Third Party Advisory x_refsource_confirm
https://github.com/bigtreecms/BigTree-CMS/commit/ffd668a3aa7d2f540dbcdf5751f207302519df72
Scores
CVSS v3
6.1
EPSS
0.0460
EPSS Percentile
89.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
bigtreecms/bigtree_cms
4.2.23
Published
Oct 16, 2018
Tracked Since
Feb 18, 2026