[Japanese]
|
JVNDB-2023-000028
|
baserCMS vulnerable to arbitrary file uploads
|
baserCMS provided by baserCMS Users Community allows an authenticated user to upload arbitrary files (CWE-434).
Taisei Inoue of GMO Cybersecurity by Ierae, Inc. and Yusuke Akagi of Mitsui Bussan Secure Directions, Inc., Shiga Takuma of BroadBand Security, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 4.3 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
CVSS V2 Severity: Base Metrics 4.0 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: Single Instance
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
baserCMS Users Community
- baserCMS versions prior to 4.7.5
|
|
An user with Operator privilege may upload arbitrary files. As a result, arbitrary PHP code may be executed.
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer released baserCMS 4.7.5 that contains a fix for this vulnerability.
|
baserCMS Users Community
|
- No Mapping(CWE-Other) [IPA Evaluation]
|
- CVE-2023-25655
|
- JVN : JVN#61105618
- National Vulnerability Database (NVD) : CVE-2023-25655
|
- [2023/03/27]
Web page was published
- [2023/06/01]
Overview was modified
- [2024/06/06]
References : Content was added
|