CVE-2017-16961

Source
https://cve.org/CVERecord?id=CVE-2017-16961
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16961.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-16961
Published
2017-11-27T10:29:00.597Z
Modified
2026-07-08T11:49:20.494669Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

A SQL injection vulnerability in core/inc/auto-modules.php in BigTree CMS through 4.2.19 allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The attack uses an admin/trees/add/process request with a crafted _tags[] parameter that is mishandled in a later admin/ajax/dashboard/approve-change request.

References

Affected packages

Git / github.com/bigtreecms/bigtree-cms

Affected ranges

Type
GIT
Repo
https://github.com/bigtreecms/bigtree-cms
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:bigtreecms:bigtree_cms:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.2.19"
        }
    ]
}

Affected versions

4.*
4.0beta2
4.2
4.2.10
4.2.11
4.2.12
4.2.13
4.2.14
4.2.15
4.2.16
4.2.17
4.2.18
4.2.19
4.2.8
4.2.9
v4.*
v4.0b1
v4.0b3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-16961.json"