CVE-2018-18308 - OpenCVE

In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area).

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Bigtreecms	Bigtree Cms

Configuration 1 [-]

cpe:2.3:a:bigtreecms:bigtree_cms:4.2.23:*:*:*:*:*:*:*

References

Link	Resource
http://packetstormsecurity.com/files/149788/BigTree-CMS-4.2.23-Cross-Site-Scripting.html	Third Party Advisory VDB Entry
https://github.com/bigtreecms/BigTree-CMS/commit/ffd668a3aa7d2f540dbcdf5751f207302519df72	Patch Third Party Advisory
https://github.com/bigtreecms/BigTree-CMS/issues/356	Issue Tracking Patch Third Party Advisory
https://www.exploit-db.com/exploits/45628/	Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2018-10-16T22:00:00

Updated: 2019-04-09T19:52:52

Reserved: 2018-10-14T00:00:00

Link: CVE-2018-18308

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-10-16T22:29:01.807

Modified: 2019-04-12T19:56:27.710

Link: CVE-2018-18308

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-10-14T00:00:00", "descriptions": [{"lang": "en", "value": "In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-04-09T19:52:52", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/149788/BigTree-CMS-4.2.23-Cross-Site-Scripting.html"}, {"name": "45628", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/45628/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/bigtreecms/BigTree-CMS/issues/356"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bigtreecms/BigTree-CMS/commit/ffd668a3aa7d2f540dbcdf5751f207302519df72"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-18308", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://packetstormsecurity.com/files/149788/BigTree-CMS-4.2.23-Cross-Site-Scripting.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/149788/BigTree-CMS-4.2.23-Cross-Site-Scripting.html"}, {"name": "45628", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/45628/"}, {"name": "https://github.com/bigtreecms/BigTree-CMS/issues/356", "refsource": "MISC", "url": "https://github.com/bigtreecms/BigTree-CMS/issues/356"}, {"name": "https://github.com/bigtreecms/BigTree-CMS/commit/ffd668a3aa7d2f540dbcdf5751f207302519df72", "refsource": "CONFIRM", "url": "https://github.com/bigtreecms/BigTree-CMS/commit/ffd668a3aa7d2f540dbcdf5751f207302519df72"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-18308", "datePublished": "2018-10-16T22:00:00", "dateReserved": "2018-10-14T00:00:00", "dateUpdated": "2019-04-09T19:52:52", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bigtreecms:bigtree_cms:4.2.23:*:*:*:*:*:*:*", "matchCriteriaId": "02EFDC1C-51B6-4C28-8ECE-5C4445E43CF8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area)."}, {"lang": "es", "value": "En la versi\u00f3n 4.2.23 de BigTree, se ha descubierto una vulnerabilidad Cross-Site Scripting (XSS) persistente en /admin/ajax/file-browser/upload/ (tambi\u00e9n conocida como \u00e1rea de subida de im\u00e1genes)."}], "id": "CVE-2018-18308", "lastModified": "2019-04-12T19:56:27.710", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-10-16T22:29:01.807", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/149788/BigTree-CMS-4.2.23-Cross-Site-Scripting.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/bigtreecms/BigTree-CMS/commit/ffd668a3aa7d2f540dbcdf5751f207302519df72"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/bigtreecms/BigTree-CMS/issues/356"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/45628/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}