CVE-2018-18308

moderate-risk
Published 2018-10-16

In the 4.2.23 version of BigTree, a Stored XSS vulnerability has been discovered in /admin/ajax/file-browser/upload/ (aka the image upload area).

Do I need to act?

~
4.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
45628
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Bigtreecms

References (8)

Third Party Advisory http://packetstormsecurity.com/files/149788/BigTree-CMS-4.2.23-Cross-Site-Script...
Patch https://github.com/bigtreecms/BigTree-CMS/commit/ffd668a3aa7d2f540dbcdf5751f2073...
Issue Tracking https://github.com/bigtreecms/BigTree-CMS/issues/356
Third Party Advisory https://www.exploit-db.com/exploits/45628/
Third Party Advisory http://packetstormsecurity.com/files/149788/BigTree-CMS-4.2.23-Cross-Site-Script...
Patch https://github.com/bigtreecms/BigTree-CMS/commit/ffd668a3aa7d2f540dbcdf5751f2073...
Issue Tracking https://github.com/bigtreecms/BigTree-CMS/issues/356
Third Party Advisory https://www.exploit-db.com/exploits/45628/
36
/ 100
moderate-risk
Severity 23/34 · High
Exploitability 8/34 · Low
Exposure 5/34 · Minimal