Vulnerability Description
BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an HTTP Referer header. This was found in core/admin/modules/developer/_header.php and patched in core/inc/bigtree/admin.php on 2017-04-14.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bigtreecms | Bigtree Cms | <= 4.2.17 |
Related Weaknesses (CWE)
References
- https://github.com/bigtreecms/BigTree-CMS/commit/7761481ac40d83ac29fef42bc6b3c07Issue TrackingPatchThird Party Advisory
- https://www.cdxy.me/?p=765ExploitThird Party Advisory
- https://github.com/bigtreecms/BigTree-CMS/commit/7761481ac40d83ac29fef42bc6b3c07Issue TrackingPatchThird Party Advisory
- https://www.cdxy.me/?p=765ExploitThird Party Advisory
FAQ
What is CVE-2017-7881?
CVE-2017-7881 is a vulnerability with a CVSS score of 8.8 (HIGH). BigTree CMS through 4.2.17 relies on a substring check for CSRF protection, which allows remote attackers to bypass this check by placing the required admin/developer/ URI within a query string in an ...
How severe is CVE-2017-7881?
CVE-2017-7881 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-7881?
Check the references section above for vendor advisories and patch information. Affected products include: Bigtreecms Bigtree Cms.