PatchSiren cyber security CVE debrief

CVE-2016-10223 Bigtreecms CVE debrief

CVE-2016-10223 affects BigTree CMS before 4.2.15 (through 4.2.14). The issue is in the core/admin/adjax/dashboard/check-module-integrity.php endpoint, where user-supplied data in the id HTTP GET parameter was not sufficiently filtered. According to the published description, an attacker could cause arbitrary HTML and script to execute in a browser in the context of the vulnerable website. NVD records this as a medium-severity issue with CVSS 5.4 and notes a patch/release reference in the project repository.

Vendor: Bigtreecms
Product: CVE-2016-10223
CVSS: MEDIUM 5.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-14
Original CVE updated: 2026-05-13
Advisory published: 2017-02-14
Advisory updated: 2026-05-13

Who should care

Administrators and developers running BigTree CMS instances at version 4.2.14 or earlier should treat this as relevant, especially if the admin interface is reachable by users who can be induced to click crafted links. Security teams that monitor web application input handling and browser-side injection risks should also review exposure.

Technical summary

The vulnerable path is core/admin/adjax/dashboard/check-module-integrity.php. The id query parameter was insufficiently filtered, allowing attacker-controlled content to be reflected in a way that could execute HTML or script in a victim browser. The NVD entry associates the issue with CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, low attack complexity, required user interaction, and impacts limited to confidentiality and integrity.

Defensive priority

Medium. This is not listed as known exploited in the supplied data, but it can still enable browser-side injection in affected deployments and should be remediated by upgrading to a fixed release.

Recommended defensive actions

Upgrade BigTree CMS to 4.2.15 or later, since versions through 4.2.14 are listed as vulnerable.
Review any code or templates that pass untrusted data into the affected admin endpoint, and apply the vendor-provided patch or equivalent fix from the referenced commit.
If immediate upgrading is not possible, restrict access to the admin area and minimize exposure of the affected endpoint until remediation is complete.
Validate that browser-facing output from the admin dashboard is properly encoded and filtered for HTML/script contexts.
Confirm whether any user interaction paths could deliver crafted links to authenticated administrators, and reduce that exposure where feasible.

Evidence notes

This debrief is based on the NVD CVE record, which states the affected product range is BigTree CMS through 4.2.14 and identifies the vulnerable endpoint and id GET parameter. The supplied references also include the project README and commit 59ebef5978f80e2fdc7b4db4a28b668c5a39fbc3 as patch/release context. NVD lists CVSS 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) and CWE-284.

Official resources

CVE-2016-10223 CVE record
CVE.org
CVE-2016-10223 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Release Notes, Third Party Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Third Party Advisory

Published by NVD on 2017-02-14 and modified on 2026-05-13. The supplied record indicates BigTree CMS versions through 4.2.14 are affected.