JVN#92765814
Multiple vulnerabilities in baserCMS
Overview
baserCMS and bundled multiple plugins (Blog, Mail, Feed, and Uploader) contain multiple vulnerabilities.
Products Affected
- baserCMS version 3.0.10 and earlier
- baserCMS plugin Blog version 3.0.10 and earlier
- baserCMS plugin Mail version 3.0.10 and earlier
- baserCMS plugin Feed version 3.0.10 and earlier
- baserCMS plugin Uploader version 3.0.10 and earlier
Description
baserCMS provided by baserCMS User Group is an opensource content management system.
baserCMS and bundled plugins "Blog", "Mail", "Feed", and "Uploader" contain the following vulnerabilities.
Cross-site request forgery (CWE-352) - CVE-2016-4879, CVE-2016-4881, CVE-2016-4884, CVE-2016-4885, CVE-2016-4886
When any of those plugins "Blog", "Mail", or "Feed" is enabled and a logged-in user in Administrative group accesses a malicious URL, the user may be forced to conduct unintended operations on the baserCMS server.
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | Base Score: 4.3 |
| CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | Base Score: 2.6 |
Cross-site request forgery (CWE-352) - CVE-2016-4887
When "Uploader" plugin is enabled and a logged-in user in Administrative group accesses a malicious URL, the user may be forced to conduct unintended operations on the baserCMS server such as deletion of a file or alteration of access restriction configuration.
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | Base Score: 5.4 |
| CVSS v2 | AV:N/AC:H/Au:N/C:P/I:P/A:N | Base Score: 4.0 |
Cross-site request forgery (CWE-352) - CVE-2016-4876
When a logged-in user in Administrative group accesses a malicious URL, the user may be forced to create a PHP file in a certain directory. As a result, arbitrary PHP code may be executed on the server.
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | Base Score: 4.3 |
| CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | Base Score: 2.6 |
Cross-site request forgery (CWE-352) - CVE-2016-4878, CVE-2016-4882
When a logged-in user in Administrative group accesses a malicious URL, the user may be forced to conduct unintended operations on baserCMS.
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | Base Score: 5.4 |
| CVSS v2 | AV:N/AC:H/Au:N/C:P/I:P/A:N | Base Score: 4.0 |
Stored cross-site scripting (CWE-79) - CVE-2016-4877, CVE-2016-4880, CVE-2016-4883
A user in Administrative group may be tricked to insert an arbitrary script in an administration page. The stored script may be executed on the user's web browser when another user in Administrative group accesses the administration page.
| CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.4 |
| CVSS v2 | AV:N/AC:L/Au:S/C:N/I:P/A:N | Base Score: 4.0 |
Impact
- An arbitrary script may be executed on user's web browser - CVE-2016-4877, CVE-2016-4880, CVE-2016-4883
- An arbitrary administrative operation on the baserCMS server may be executed such as configuration alteration - CVE-2016-4879, CVE-2016-4881, CVE-2016-4884, CVE-2016-4885, CVE-2016-4886, CVE-2016-4887, CVE-2016-4876, CVE-2016-4878, CVE-2016-4882
Solution
Update the Software
Update the software according to the information provided by the developer.
An old version of "Uploader" plugin is provided at the baser market. The developer states that applying baserCMS update overwrites the old version of "Uploader" plugin.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| baserCMS Users Community | Vulnerable | 2016/09/29 | baserCMS Users Community website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Following researchers reported respective vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning partnership.
CVE-2016-4876
Shoji Baba
CVE-2016-4877
Isao Takaesu of Mitsui Bussan Secure Directions, Inc. and Norihiko Hirukawa of FiveDrive Inc.
CVE-2016-4878
Norihiko Hirukawa of FiveDrive Inc.
CVE-2016-4879, CVE-2016-4880, and CVE-2016-4881
Isao Takaesu of Mitsui Bussan Secure Directions, Inc.
CVE-2016-4882, CVE-2016-4883, CVE-2016-4884, CVE-2016-4885, CVE-2016-4886, and CVE-2016-4887
Masamu Asato of National Institute of Technology, Okinawa College
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2016-4876 |
|
CVE-2016-4877 |
|
|
CVE-2016-4878 |
|
|
CVE-2016-4879 |
|
|
CVE-2016-4880 |
|
|
CVE-2016-4881 |
|
|
CVE-2016-4882 |
|
|
CVE-2016-4883 |
|
|
CVE-2016-4884 |
|
|
CVE-2016-4885 |
|
|
CVE-2016-4886 |
|
|
CVE-2016-4887 |
|
| JVN iPedia |
JVNDB-2016-000172 |
|
JVNDB-2016-000173 |
|
|
JVNDB-2016-000174 |
|
|
JVNDB-2016-000175 |
|
|
JVNDB-2016-000176 |
|
|
JVNDB-2016-000177 |
|
|
JVNDB-2016-000178 |
|
|
JVNDB-2016-000179 |
|
|
JVNDB-2016-000180 |
|
|
JVNDB-2016-000181 |
|
|
JVNDB-2016-000182 |
|
|
JVNDB-2016-000183 |