GHSA-395x-wv32-44v5: baserproject/basercms vulnerable to cross-site scripting (XSS) vulnerability

baserproject/basercms vulnerable to cross-site scripting (XSS) vulnerability

Moderate severity GitHub Reviewed Published Nov 28, 2022 in baserproject/basercms • Updated Nov 28, 2022

Package

composer baserproject/basercms (Composer)

Affected versions

<= 4.7.1

Patched versions

4.7.2

Description

There is a cross-site scripting vulnerability on the management system of baserCMS.

This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users.
If you are eligible, please update to the new version as soon as possible.

Target

baserCMS 4.7.1 and earlier versions

Vulnerability

Execution of malicious JavaScript code may alter the display of the page or leak cookie information.

• In Favorite registration (CVE-2022-39325)
• In Permission Settings (CVE-2022-41994)
• In User group management (CVE-2022-42486)

Countermeasures

Update to the latest version of baserCMS

Credits

• Shogo Iyota@Mitsui Bussan Secure Directions, Inc.
• YUYA KOTAKE@CARTA HOLDINGS, INC.

References

• GHSA-395x-wv32-44v5
• https://nvd.nist.gov/vuln/detail/CVE-2022-39325
• baserproject/basercms@b6f8a54
• https://basercms.net/security/JVN_53682526
• https://github.com/baserproject/basercms/releases/tag/basercms-4.7.2

ryuring published the maintainer security advisory

Nov 24, 2022

Severity

Moderate

4.6

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Weaknesses

CWE-79

CVE ID

CVE-2022-39325

GHSA ID

GHSA-395x-wv32-44v5

Source code

baserproject/basercms

Checking history

See something to contribute? Suggest improvements for this vulnerability.