Published:2021/11/26  Last Updated:2021/11/26

JVN#81376414
Multiple vulnerabilities in baserCMS

Overview

baserCMS provided by baserCMS Users Community contains multiple vulnerabilities.

Products Affected

  • baserCMS versions prior to 4.5.4

Description

baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below.

  • OS command injection (CWE-78) - CVE-2021-41243
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score: 8.8
    CVSS v2 AV:N/AC:L/Au:S/C:C/I:C/A:C Base Score: 9.0
  • Arbitrary code upload vulnerability in Database restore (CWE-434) - CVE-2021-41279
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:L/Au:S/C:N/I:P/A:N Base Score: 4.0

Impact

  • An arbitrary OS command may be executed by a user who can access the product with Operator authority - CVE-2021-41243
  • An illegal code may be uploaded by a user who can access the product with Operator authority. As a result, arbitrary code may be executed - CVE-2021-41279

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.
The developer released baserCMS 4.5.4 that contains a fix for these vulnerabilities.

Vendor Status

Vendor Status Last Update Vendor Notes
baserCMS Users Community Vulnerable 2021/11/26 baserCMS Users Community website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

CVE-2021-41243
Akagi Yusuke of NTT-ME CORPORATION reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

CVE-2021-41279
Daniele Scanu of SoterITSecurity reported this vulnerability to baserCMS Users Community and baserCMS Users Community reported it to JPCERT/CC to notify users of the solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2021-41243
CVE-2021-41279
JVN iPedia JVNDB-2021-000106