CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
61.9%
baserCMS provided by baserCMS User Group is an opensource content management system.
baserCMS and bundled plugins “Blog”, “Mail”, “Feed”, and “Uploader” contain the following vulnerabilities.
**Cross-site request forgery (CWE-352) -**CVE-2016-4879, CVE-2016-4881, CVE-2016-4884, CVE-2016-4885, CVE-2016-4886
When any of those plugins “Blog”, “Mail”, or “Feed” is enabled and a logged-in user in Administrative group accesses a malicious URL, the user may be forced to conduct unintended operations on the baserCMS server.
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | Base Score: 4.3 |
CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | Base Score: 2.6 |
Cross-site request forgery (CWE-352) - CVE-2016-4887
When “Uploader” plugin is enabled and a logged-in user in Administrative group accesses a malicious URL, the user may be forced to conduct unintended operations on the baserCMS server such as deletion of a file or alteration of access restriction configuration.
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | Base Score: 5.4 |
CVSS v2 | AV:N/AC:H/Au:N/C:P/I:P/A:N | Base Score: 4.0 |
Cross-site request forgery (CWE-352) - CVE-2016-4876
When a logged-in user in Administrative group accesses a malicious URL, the user may be forced to create a PHP file in a certain directory. As a result, arbitrary PHP code may be executed on the server.
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | Base Score: 4.3 |
CVSS v2 | AV:N/AC:H/Au:N/C:N/I:P/A:N | Base Score: 2.6 |
Cross-site request forgery (CWE-352) - CVE-2016-4878, CVE-2016-4882
When a logged-in user in Administrative group accesses a malicious URL, the user may be forced to conduct unintended operations on baserCMS.
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | Base Score: 5.4 |
CVSS v2 | AV:N/AC:H/Au:N/C:P/I:P/A:N | Base Score: 4.0 |
Stored cross-site scripting (CWE-79) - CVE-2016-4877, CVE-2016-4880, CVE-2016-4883
A user in Administrative group may be tricked to insert an arbitrary script in an administration page. The stored script may be executed on the user’s web browser when another user in Administrative group accesses the administration page.
Version | Vector | Score |
---|---|---|
CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Base Score: 5.4 |
CVSS v2 | AV:N/AC:L/Au:S/C:N/I:P/A:N | Base Score: 4.0 |
Update the Software
Update the software according to the information provided by the developer.
An old version of “Uploader” plugin is provided at the baser market. The developer states that applying baserCMS update overwrites the old version of “Uploader” plugin.
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
61.9%