CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41279 – Zip Slip Vulnerability in BaserCMS
https://notcve.org/view.php?id=CVE-2021-41279
BaserCMS is an open source content management system with a focus on Japanese language support. In affected versions users with upload privilege may upload crafted zip files capable of path traversal on the host operating system. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. If you are eligible, please update to the new version as soon as possible. BaserCMS es un sistema de administración de contenidos de código abierto centrado en el soporte del idioma japonés. • https://github.com/baserproject/basercms/commit/d8ab0a81a7bce35cc95ff7dff851a7e87a084336 https://github.com/baserproject/basercms/security/advisories/GHSA-4x2f-54wr-4hjg • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41243 – OS Command Injection Vulnerability and Potential Zip Slip Vulnerability
https://notcve.org/view.php?id=CVE-2021-41243
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. If you are eligible, please update to the new version as soon as possible. Se presenta una Vulnerabilidad Potencial de Deslizamiento de Zip y de Inyección de Comandos del Sistema Operativo en el sistema de administración de baserCMS. • https://github.com/baserproject/basercms/commit/9088b99c329d1faff3a2f1269f37b9a9d8d5f6ff https://github.com/baserproject/basercms/security/advisories/GHSA-7rpc-9m88-cf9w • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2021-39136 – Cross-site scripting vulnerability in file upload
https://notcve.org/view.php?id=CVE-2021-39136
baserCMS is an open source content management system with a focus on Japanese language support. In affected versions there is a cross-site scripting vulnerability in the file upload function of the management system of baserCMS. Users are advised to update as soon as possible. No workaround are available to mitigate this issue. baserCMS es un sistema de administración de contenidos de código abierto centrado en el soporte del idioma Japonés. En las versiones afectadas se presenta una vulnerabilidad de tipo cross-site scripting en la función file upload del sistema de administración de baserCMS. • http://jvn.jp/en/jp/JVN14134801/index.html https://basercms.net/security/JVN_14134801 https://github.com/baserproject/basercms/commit/568d4cab5ba1cdee7bbf0133c676d02a98f6d7bc https://github.com/baserproject/basercms/security/advisories/GHSA-hgjr-632x-qpp3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20683
https://notcve.org/view.php?id=CVE-2021-20683
Improper neutralization of JavaScript input in the blog article editing function of baserCMS versions prior to 4.4.5 allows remote authenticated attackers to inject an arbitrary script via unspecified vectors. Una neutralización inapropiada de la entrada de JavaScript en la función blog article editing de baserCMS versiones anteriores a 4.4.5, permite a atacantes autenticados remotos inyectar un script arbitrario por medio de vectores no especificados. • https://basercms.net/security/JVN64869876 https://jvn.jp/en/jp/JVN64869876/index.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20682
https://notcve.org/view.php?id=CVE-2021-20682
baserCMS versions prior to 4.4.5 allows a remote attacker with an administrative privilege to execute arbitrary OS commands via unspecified vectors. baserCMS versiones anteriores a 4.4.5, permiten a un atacante remoto con privilegios administrativos ejecutar comandos arbitrarios del Sistema Operativo por medio de vectores no especificados. • https://basercms.net/security/JVN64869876 https://jvn.jp/en/jp/JVN64869876/index.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •