CVE-2017-16961

medium

Published 2017-11-27 · Modified 2026-05-13

CVSS v3

6.5

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v2

4.0

VIR risk

6.5

Description

A SQL injection vulnerability in core/inc/auto-modules.php in BigTree CMS through 4.2.19 allows remote authenticated attackers to obtain information in the context of the user used by the application to retrieve data from the database. The attack uses an admin/trees/add/process request with a crafted _tags[] parameter that is mishandled in a later admin/ajax/dashboard/approve-change request.

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/bigtreecms/BigTree-CMS/issues/323

Application impact

Vendor	Product	Versions	Fixed
bigtreecms	bigtree_cms	`{"endIncluding":"4.2.19"}`

References

https://github.com/bigtreecms/BigTree-CMS/issues/323
https://github.com/bigtreecms/BigTree-CMS/issues/323

CWEs

CWE-89

Verify integrity in audit chain (admin only). AS-IS.