Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the (1) title or (2) version or (3) author_name parameter in manifest.json. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files.
References
Link | Resource |
---|---|
https://github.com/bigtreecms/BigTree-CMS/issues/290 | Issue Tracking Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-10-03T16:23:08
Updated: 2024-06-04T17:11:52.939Z
Reserved: 2022-10-03T00:00:00
Link: CVE-2017-9441
JSON object: View
NVD Information
Status : Modified
Published: 2017-06-05T19:29:00.213
Modified: 2024-06-04T19:16:55.397
Link: CVE-2017-9441
JSON object: View
Redhat Information
No data.
CWE