Published:2017/08/25  Last Updated:2017/08/25

JVN#78151490
Multiple vulnerabilities in baserCMS

Overview

baserCMS provided by baserCMS Users Community contains multiple vulnerabilities.

Products Affected

  • baserCMS version 3.0.14 and earlier
  • baserCMS version 4.0.5 and earlier

Description

baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below.

  • SQL injection (CWE-89) - CVE-2017-10842
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Base Score: 7.3
    CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P Base Score: 7.5
  • Arbitary files may be deleted - CVE-2017-10843
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Base Score: 7.3
    CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P Base Score: 7.5
  • Arbitary PHP code execution - CVE-2017-10844
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Base Score: 6.3
    CVSS v2 AV:N/AC:L/Au:N/C:P/I:P/A:P Base Score: 7.5

Impact

  • A remote attacker may execute arbitrary SQL command to create files or obtain or alter information stored in the database. - CVE-2017-10842
  • A remote attacker may obtain or delete arbitrary files on the system. - CVE-2017-10843
  • A user may execute arbitrary PHP code on the server. - CVE-2017-10844

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Apply the Patch
Patches have been released. For more information, refer to "How to Apply the Patches".

Vendor Status

Vendor Status Last Update Vendor Notes
baserCMS Users Community Vulnerable 2017/08/25 baserCMS Users Community website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Shoji Baba reported the vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2017-10842
CVE-2017-10843
CVE-2017-10844
JVN iPedia JVNDB-2017-000203