A SQL injection vulnerability in core/inc/auto-modules.php in BigTree CMS through 4.2.19 allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The attack uses an admin/trees/add/process request with a crafted _tags[] parameter that is mishandled in a later admin/ajax/dashboard/approve-change request.
References
Link | Resource |
---|---|
https://github.com/bigtreecms/BigTree-CMS/issues/323 | Exploit Issue Tracking Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2017-11-27T10:00:00
Updated: 2017-11-27T09:57:01
Reserved: 2017-11-27T00:00:00
Link: CVE-2017-16961
JSON object: View
NVD Information
Status : Analyzed
Published: 2017-11-27T10:29:00.597
Modified: 2017-12-07T18:41:40.437
Link: CVE-2017-16961
JSON object: View
Redhat Information
No data.
CWE