CVE-2020-15155 – Cross-Site Scripting in baserCMS
https://notcve.org/view.php?id=CVE-2020-15155
baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) via arbitrary script execution. Admin access is required to exploit this vulnerability. The affected components is toolbar.php. The issue is fixed in version 4.3.7. baserCMS versiones 4.3.6 y anteriores, esta afectado por una vulnerabilidad de tipo Cross Site Scripting (XSS) por medio de la ejecución de un script arbitrario. Se requiere acceso de administrador para explotar esta vulnerabilidad. • https://basercms.net/security/20200827 https://github.com/baserproject/basercms/commit/94cbfab74c9fd6d04492597a1a684674c3c0e30f https://github.com/baserproject/basercms/security/advisories/GHSA-4r3m-j6x5-48m3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-15154 – Cross Site Scripting in baserCMS
https://notcve.org/view.php?id=CVE-2020-15154
baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) via arbitrary script execution. Admin access is required to exploit this vulnerability. The affected components are: content_fields.php, content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js. The issue is fixed in version 4.3.7. baserCMS versiones 4.3.6 y anteriores, esta afectado por una vulnerabilidad de tipo Cross Site Scripting (XSS) por medio de la ejecución de un script arbitrario. Se requiere acceso de administrador para explotar esta vulnerabilidad. • https://basercms.net/security/20200827 https://github.com/baserproject/basercms/security/advisories/GHSA-cpxc-67rc-c775 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-18943
https://notcve.org/view.php?id=CVE-2018-18943
An issue was discovered in baserCMS before 4.1.4. In the Register New Category feature of the Upload menu, the category name can be used for XSS via the data[UploaderCategory][name] parameter to an admin/uploader/uploader_categories/edit URI. Se ha descubierto un problema en versiones anteriores a la 4.1.4 de baserCMS. En la característica Register New Category del menú Upload, el nombre de categoría se puede emplear para Cross-Site Scripting (XSS) mediante el parámetro data[UploaderCategory][name] en un URI admin/uploader/uploader_categories/edit. • http://sunu11.com/2018/10/31/baserCMS https://basercms.net/release/4_1_4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-18942
https://notcve.org/view.php?id=CVE-2018-18942
In baserCMS before 4.1.4, lib\Baser\Model\ThemeConfig.php allows remote attackers to execute arbitrary PHP code via the admin/theme_configs/form data[ThemeConfig][logo] parameter. En baserCMS en versiones anteriores a la 4.1.4, lib\Baser\Model\ThemeConfig.php permite que atacantes remotos ejecuten código PHP arbitrario mediante el parámetro data[ThemeConfig][logo] en admin/theme_configs/form. • http://sunu11.com/2018/10/31/baserCMS https://basercms.net/release/4_1_4 https://github.com/baserproject/basercms/issues/959 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2018-0572
https://notcve.org/view.php?id=CVE-2018-0572
baserCMS (baserCMS 4.1.0.1 and earlier versions, baserCMS 3.0.15 and earlier versions) allows remote authenticated attackers to bypass access restriction to view or alter a restricted content via unspecified vectors. baserCMS (baserCMS 4.1.0.1 y anteriores y baserCMS 3.0.15 y anteriores) permite que los atacantes remotos autenticados omitan las restricciones de acceso para ver o alterar contenido restringido mediante vectores sin especificar. • http://jvn.jp/en/jp/JVN67881316/index.html https://basercms.net/security/JVN67881316 •