JVN#73283159: Multiple vulnerabilities in baserCMS

2024-02-2700:00:00

Japan Vulnerability Notes

jvn.jp

basercms

cross-site scripting

command injection

update

software

cve-2023-44379

cve-2024-26128

cve-2023-51450

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

7.6

Confidence

High

EPSS

0.001

Percentile

16.3%

JSON

baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below.

Reflected cross-site scripting vulnerability in Site search Feature (CWE-79) - CVE-2023-44379

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	Base Score: 6.1
CVSS v2	AV:N/AC:M/Au:N/C:N/I:P/A:N	Base Score: 4.3

Stored cross-site scripting vulnerability in Content Management (CWE-79) - CVE-2024-26128

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	Base Score: 5.4
CVSS v2	AV:N/AC:M/Au:S/C:N/I:P/A:N	Base Score: 3.5

OS command injection vulnerability (CWE-78) - CVE-2023-51450

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	Base Score: 8.1
CVSS v2	AV:N/AC:M/Au:N/C:P/I:P/A:P	Base Score: 6.8

Impact

An arbitrary script may be executed on the web browser of the user who accessed the site using the product - CVE-2023-44379
An arbitrary script may be executed on the web browser of the user who accessed the administrative page of the product - CVE-2024-26128
An arbitrary OS command may be executed by a remote attacker - CVE-2023-51450

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.
The developer has released baserCMS 5.0.10 that contains fixes for the vulnerabilities.