Описание
Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the (1) title or (2) version or (3) author_name parameter in manifest.json. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files.
Ссылки
- Issue TrackingPatchThird Party Advisory
- Issue TrackingPatchThird Party Advisory
Уязвимые конфигурации
EPSS
5.4 Medium
CVSS3
2.7 Low
CVSS3
3.5 Low
CVSS2
Дефекты
Связанные уязвимости
** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2.18 allow remote authenticated users to inject arbitrary web script or HTML by uploading a crafted package, triggering mishandling of the (1) title or (2) version or (3) author_name parameter in manifest.json. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files."
EPSS
5.4 Medium
CVSS3
2.7 Low
CVSS3
3.5 Low
CVSS2