Published: 2024/02/27  Last Updated: 2024/04/15

Information from baserCMS Users Community

Vulnerability ID:JVN#73283159
Title:Multiple vulnerabilities in baserCMS
Status:Vulnerable

This is a statement from the vendor itself with no modification by JPCERT/CC.

baserCMS has multiple vulnerabilities including XSS.

### Target
baserCMS 5.0.8 and earlier versions

### Vulnerability
If these vulnerabilities are exploited, arbitrary scripts or OS commands may be executed.

1. XSS vulnerability in Site search Feature(CVE-2023-44379)
2. XSS vulnerability in Content Management(CVE-2024-26128)
3. OS command injection vulnerability in Installer(CVE-2023-51450)

Regarding 1., it is a vulnerability that needs to be addressed only if the management screen is used by an unspecified number of users.
Regarding 3., it is a vulnerability that requires countermeasures when baserCMS installer files are uploaded to the server but not installed.

### Countermeasures
Update to the latest version of baserCMS

Please refer to the following page to reference for more information.
https://basercms.net/security/JVN_73283159

### Credits
- Kentaro Ishii@GMO Cybersecurity by Ierae, Inc.
- Shunsuke Tanizaki
- Yusuke Uchida@PERSOL CROSS TECHNOLOGY CO., LTD.

update history

2024/04/15