Published:2017/08/25 Last Updated:2017/08/25
JVN#78151490
Multiple vulnerabilities in baserCMS
Overview
baserCMS provided by baserCMS Users Community contains multiple vulnerabilities.
Products Affected
- baserCMS version 3.0.14 and earlier
- baserCMS version 4.0.5 and earlier
Description
baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below.
- SQL injection (CWE-89) - CVE-2017-10842
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Base Score: 7.3 CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P Base Score: 7.5 - Arbitary files may be deleted - CVE-2017-10843
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Base Score: 7.3 CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P Base Score: 7.5 - Arbitary PHP code execution - CVE-2017-10844
CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Base Score: 6.3 CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P Base Score: 7.5
Impact
- A remote attacker may execute arbitrary SQL command to create files or obtain or alter information stored in the database. - CVE-2017-10842
- A remote attacker may obtain or delete arbitrary files on the system. - CVE-2017-10843
- A user may execute arbitrary PHP code on the server. - CVE-2017-10844
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
Apply the Patch
Patches have been released. For more information, refer to "How to Apply the Patches".
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| baserCMS Users Community | Vulnerable | 2017/08/25 | baserCMS Users Community website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Shoji Baba reported the vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2017-10842 |
|
CVE-2017-10843 |
|
|
CVE-2017-10844 |
|
| JVN iPedia |
JVNDB-2017-000203 |