JVN#00876083
Multiple vulnerabilities in baserCMS

Overview

baserCMS provided by baserCMS Users Community contains multiple vulnerabilities.

Products Affected

• baserCMS versions prior to 5.1.3 (baserCMS 5 series)
• baserCMS versions prior to 4.8.2 (baserCMS 4 series)

Description

baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below.

• Stored cross-site scripting vulnerability due to inappropriate Slug handling on Article Edit (CWE-79)
  • CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
  • CVE-2024-46996
• Stored cross-site scripting vulnerability on Edit Email Form Settings (CWE-79)
  • CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
  • CVE-2024-46998
• Reflected cross-site scripting vulnerability due to inadequate error page generation process (CWE-81)
  • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Base Score 6.1
  • CVE-2024-46995
• Stored cross-site scripting vulnerability due to inappropriate input data handling on Article Edit and Content List (CWE-79)
  • CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4
  • CVE-2024-46994

Impact

• If crafted data is input to the product, an arbitrary script may be executed on the web browser of the user who is accessing the administrative page of the product. Also if a page containing crafted data is published, an arbitrary script may be executed on the web browser of the non-authenticated user viewing the page (CVE-2024-46996, CVE-2024-46998)
• If a user accesses a crafted page while logged in to the affected product, an arbitrary script may be executed on the web browser of the user (CVE-2024-46995, CVE-2024-46994)

Solution

Update the Software
Update to the latest version according to the information provided by the developer.
The developer has released the versions listed below that addresses the vulnerabilities.

• baserCMS 5.1.3 (baserCMS 5 series)
• baserCMS 4.8.2 (baserCMS 4 series)