CVE-2018-18943
https://notcve.org/view.php?id=CVE-2018-18943
An issue was discovered in baserCMS before 4.1.4. In the Register New Category feature of the Upload menu, the category name can be used for XSS via the data[UploaderCategory][name] parameter to an admin/uploader/uploader_categories/edit URI. Se ha descubierto un problema en versiones anteriores a la 4.1.4 de baserCMS. En la característica Register New Category del menú Upload, el nombre de categoría se puede emplear para Cross-Site Scripting (XSS) mediante el parámetro data[UploaderCategory][name] en un URI admin/uploader/uploader_categories/edit. • http://sunu11.com/2018/10/31/baserCMS https://basercms.net/release/4_1_4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-18942
https://notcve.org/view.php?id=CVE-2018-18942
In baserCMS before 4.1.4, lib\Baser\Model\ThemeConfig.php allows remote attackers to execute arbitrary PHP code via the admin/theme_configs/form data[ThemeConfig][logo] parameter. En baserCMS en versiones anteriores a la 4.1.4, lib\Baser\Model\ThemeConfig.php permite que atacantes remotos ejecuten código PHP arbitrario mediante el parámetro data[ThemeConfig][logo] en admin/theme_configs/form. • http://sunu11.com/2018/10/31/baserCMS https://basercms.net/release/4_1_4 https://github.com/baserproject/basercms/issues/959 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2016-4879
https://notcve.org/view.php?id=CVE-2016-4879
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. Vulnerabilidad de tipo cross-site request forgery (CSRF) en el plugin Mail para baserCMS en versiones 3.0.10 y anteriores, que permitiría a atacantes remotos secuestrar la autenticación de los administradores a través de vectores no especificados. • http://basercms.net/security/JVN92765814 http://www.securityfocus.com/bid/93217 https://jvn.jp/en/jp/JVN92765814/index.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2015-5640
https://notcve.org/view.php?id=CVE-2015-5640
baserCMS before 3.0.8 allows remote authenticated users to modify arbitrary user settings via a crafted request. baserCMS en versiones anteriores a 3.0.8 permite a usuarios remotos autenticados modificar configuración de usuario arbitraria a través de una petición manipulada. • http://basercms.net/security/JVN04855224 http://jvn.jp/en/jp/JVN04855224/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2015-000138 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2015-5641
https://notcve.org/view.php?id=CVE-2015-5641
SQL injection vulnerability in baserCMS before 3.0.8 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en baserCMS en versiones anteriores a 3.0.8 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de vectores no especificados. • http://basercms.net/security/JVN79633796 http://jvn.jp/en/jp/JVN79633796/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2015-000139 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •