VYPR
← All advisories
Low severityNVD Advisory· Published Aug 28, 2020· Updated Aug 4, 2024

Cross Site Scripting in baserCMS

CVE-2020-15154

Description

baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) via arbitrary script execution. Admin access is required to exploit this vulnerability. The affected components are: content_fields.php, content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js. The issue is fixed in version 4.3.7.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An admin-level reflected XSS in baserCMS 4.3.6 and earlier allows arbitrary script execution via multiple content management pages; patched in 4.3.7.

Overview

CVE-2020-15154 is a Cross-Site Scripting (XSS) vulnerability in baserCMS versions 4.3.6 and earlier. The root cause is the lack of proper output escaping in several PHP template files, including content_fields.php, content_info.php, content_options.php, content_related.php, index_list_tree.php, and jquery.bcTree.js.[1][2] The official description notes that admin access is required to exploit this issue.[2]

Exploitation

An attacker with administrative privileges can inject arbitrary JavaScript code into the affected admin interface components. The commit that fixes the vulnerability shows that the h() function (which escapes HTML in CakePHP) was added to echo statements in multiple files, confirming that the vulnerability was caused by unescaped output of user-controllable data.[1] The attack surface is limited to authenticated admin users who have access to the content management screens.

Impact

Successful exploitation allows an admin-level attacker to execute arbitrary scripts in the context of another administrator's browser session. This could lead to session hijacking, unauthorized content modification, or theft of sensitive information stored in the admin panel. The advisory from baserCMS notes that this vulnerability affects sites where the admin interface is used by multiple users.[3][4]

Mitigation

The issue is fixed in baserCMS version 4.3.7. Administrators are advised to update immediately. For those unable to upgrade, security patches are available from the official vendor advisory.[4] The vulnerability was responsibly disclosed by researchers Aquilao Null and stypr.[4]

References
  1. Merge pull request from GHSA-cpxc-67rc-c775 · baserproject/basercms@7f4b905
  2. NVD - CVE-2020-15154
  3. Cross Site Scripting(XSS) Vulnerability in Latest Release 4.3.6 Content list
  4. 2020/08/27 コードインジェクション、XSSの脆弱性

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
baserproject/basercmsPackagist
>= 4.0.0, < 4.3.74.3.7

Affected products

2

Patches

1
7f4b905b9095

Merge pull request from GHSA-cpxc-67rc-c775

https://github.com/baserproject/basercmsbaserprojectAug 25, 2020via ghsa
commit
8 files changed · +56 80
  • app/webroot/theme/admin-third/Elements/admin/content_fields.php+2 2 modified
    @@ -88,7 +88,7 @@
 
 <div class="bca-section bca-section__post-top">
   <span class="bca-post__url">
-	  <a href="<?php echo $fullUrl ?>" class="bca-text-url" target="_blank" data-toggle="tooltip"
+	  <a href="<?php echo h($fullUrl) ?>" class="bca-text-url" target="_blank" data-toggle="tooltip"
 		 data-placement="top" title="<?php echo __d('baser', '公開URLを開きます') ?>"><i class="bca-icon--globe"></i><?php echo urldecode($fullUrl) ?></a>
 	  <?php echo $this->BcForm->button('', [
 		  'id' => 'BtnCopyUrl',
@@ -119,7 +119,7 @@
 				<?php echo $this->BcForm->error('Content.name') ?>
 				<?php echo $this->BcForm->error('Content.parent_id') ?>
 				<span class="bca-post__url">
-          			<?php echo $linkedFullUrl ?>
+          			<?php echo h($linkedFullUrl) ?>
         		</span>
 			</td>
 		</tr>
  • app/webroot/theme/admin-third/Elements/admin/content_info.php+1 1 modified
    @@ -35,7 +35,7 @@
       <li class="bca-list__item"><span><?php echo __d('baser', 'タイプ') ?></span>:
       <?php if(!$this->BcForm->value('Content.alias_id')): ?>
         <?php if(!empty($this->BcContents->settings[$this->BcForm->value('Content.type')])): ?>
-          <?php echo $this->BcContents->settings[$this->BcForm->value('Content.type')]['title'] ?>
+          <?php echo h($this->BcContents->settings[$this->BcForm->value('Content.type')]['title']) ?>
         <?php else: ?>
           <?php echo __d('baser', 'デフォルト') ?>
         <?php endif ?>
  • app/webroot/theme/admin-third/Elements/admin/content_options.php+3 3 modified
    @@ -36,9 +36,9 @@
           <?php echo $this->BcForm->input('Content.description', ['type' => 'textarea', 'cols' => 36, 'rows' => 4,'data-input-text-size' => 'full-counter']) ?>
 				<?php else: ?>
 					<?php if($this->BcForm->value('Content.exclude_search')): ?>
-						<?php echo $this->BcForm->value('Content.description') ?>
+						<?php echo h($this->BcForm->value('Content.description')) ?>
 					<?php else: ?>
-						<?php echo $this->BcBaser->siteConfig['description'] ?>
+						<?php echo h($this->BcBaser->siteConfig['description']) ?>
 					<?php endif ?>
 					<?php echo $this->BcForm->hidden('Content.description') ?>
 				<?php endif ?>
@@ -64,7 +64,7 @@
 					<small>[<?php echo __d('baser', '作成日') ?>]</small> <?php echo $this->BcForm->input('Content.created_date', ['type' => 'dateTimePicker', 'size' => 12, 'maxlength' => 10]) ?> 
 					<small>[<?php echo __d('baser', '更新日') ?>]</small> <?php echo $this->BcForm->input('Content.modified_date', ['type' => 'dateTimePicker', 'size' => 12, 'maxlength' => 10]) ?>
 				<?php else: ?>
-					<?php echo $this->BcText->arrayValue($this->BcForm->value('Content.author_id'), $authors) ?> 
+					<?php echo h($this->BcText->arrayValue($this->BcForm->value('Content.author_id'), $authors)) ?> 
 
 					<small>[<?php echo __d('baser', '作成日') ?>]</small> <?php echo $this->BcTime->format('Y/m/d H:i', $this->BcForm->value('Content.created_date')) ?> 
 					<small>[<?php echo __d('baser', '更新日') ?>]</small> <?php echo $this->BcTime->format('Y/m/d H:i', $this->BcForm->value('Content.modified_date')) ?>
  • app/webroot/theme/admin-third/Elements/admin/content_related.php+3 3 modified
    @@ -72,13 +72,13 @@
 				<tr<?php echo $class ?> id="Row<?php echo $relatedContent['Site']['id'] ?>">
 					<td class="cel2 bca-table-listup__tbody-td"><?php echo h($relatedContent['Site']['display_name']) ?></td>
 					<td class="cel3 bca-table-listup__tbody-td">
-						<?php echo $this->BcText->arrayValue($relatedContent['Site']['main_site_id'], $sites,  $mainSiteDisplayName) ?>
+						<?php echo h($this->BcText->arrayValue($relatedContent['Site']['main_site_id'], $sites,  $mainSiteDisplayName)) ?>
 					</td>
 					<td class="cel4 bca-table-listup__tbody-td">
 						<?php if(!empty($relatedContent['Content'])): ?>
-							<?php echo $relatedContent['Content']['title'] ?>
+							<?php echo h($relatedContent['Content']['title']) ?>
 							<?php if(!empty($relatedContent['Content'])): ?>
-								<small>(<?php echo $this->BcContents->settings[$relatedContent['Content']['type']]['title'] ?>)</small>
+								<small>(<?php echo h($this->BcContents->settings[$relatedContent['Content']['type']]['title']) ?>)</small>
 							<?php endif ?>
 						<?php else: ?>
 							<small><?php echo __d('baser', '未登録')?></small>
  • app/webroot/theme/admin-third/Elements/admin/contents/index_list_tree.php+2 2 modified
    @@ -39,7 +39,7 @@
 		$open = false;
 		if(!empty($this->BcContents->settings[$type]['icon'])) {
 		    if(!empty($this->BcContents->settings[$type]['url']['icon'])) {
-				$icon = $this->BcContents->settings[$type]['url']['icon'];    
+				$icon = $this->BcContents->settings[$type]['url']['icon'];
             } else {
 				$icon = $this->BcContents->settings[$type]['icon'];
             }
@@ -82,7 +82,7 @@
 	"manageDisabled":"<?php echo $manageDisabled ?>",
 	"deleteDisabled":"<?php echo $deleteDisabled ?>"
 }'<?php if($open): ?> class="jstree-open"<?php endif ?>>
-			<span><?php echo h($data['Content']['title']) ?></span>
+			<?php echo h($data['Content']['title']) ?>
 			<?php if(!empty($data['children'])): ?>
 				<?php $this->BcBaser->element('admin/contents/index_list_tree', ['datas' => $data['children']]) ?>
 			<?php endif ?>
  • app/webroot/theme/admin-third/js/admin/libs/jquery.bcTree.js+22 34 modified
    @@ -14,7 +14,7 @@
 
 (function($){
 	$.bcTree = {
-		
+	
 	/**
 	 * リンクをクリックする際にShiftキーを押しているかどうか
 	 */
@@ -31,12 +31,12 @@
 		contextmenuAddOnly: false,
 		
 	/**
-	 * 設定 BcManageContent より値を取得 
+	 * 設定 BcManageContent より値を取得
 	 */
 		settings: [],
 		
 	/**
-	 * ドラッグターゲット 
+	 * ドラッグターゲット
 	 */
 		dropTarget: null,
 		
@@ -46,17 +46,17 @@
 		dragTarget: null,
 		
 	/**
-	 * ツリー構造のDOM(jQueryオブジェクト) 
+	 * ツリー構造のDOM(jQueryオブジェクト)
 	 */
 		treeDom: null,
 		
 	/**
-	 * jsTree実体 
+	 * jsTree実体
 	 */
 		jsTree: null,
 
 	/**
-	 * 一覧を表示した時間 
+	 * 一覧を表示した時間
 	 */
 		listDisplayed: null,
 		
@@ -67,7 +67,7 @@
 
 	/**
 	 * ノードを移動する場合の直前のポジション
-	 */		
+	 */
 		beforePosition: null,
 
 	/**
@@ -97,7 +97,7 @@
 		},
 
 	/**
-	 * ツリーを読み込む 
+	 * ツリーを読み込む
 	 */
 		load: function () {
 			if(!$.bcTree._inited) {
@@ -136,15 +136,15 @@
 		},
 		
 	/**
-	 * ツリーを初期化する 
+	 * ツリーを初期化する
 	 */
 		_init: function() {
 			
 			$.bcTree.settings = $.parseJSON($("#BcManageContent").val());
 			$.bcTree.treeDom = $('#ContentsTreeList');
 			$.bcTree.createTree();
 			$.bcTree.jsTree = $.bcTree.treeDom.jstree(true);
-
+			$.bcTree.jsTree.settings.core.force_text = true;
 			$.bcTree.treeDom.bind("move_node.jstree", function(e, data){
 				$.bcTree.beforeParentId = data.old_parent;
 				$.bcTree.beforePosition = data.old_position;
@@ -176,7 +176,7 @@
 						} else {
 							$.bcTree.openUrl($.baseUrl + '/' + $.bcTree.config.adminPrefix + '/contents/edit_alias/' + data.contentId);
 						}
-					}	
+					}
 				}
 			});
 			
@@ -212,7 +212,7 @@
 		},
 
 	/**
-	 * ツリーを破棄する 
+	 * ツリーを破棄する
 	 */
 		destroy: function() {
 			if($.bcTree.treeDom) {
@@ -235,7 +235,7 @@
 		},
 
 	/**
-	 * ツリー構造を生成する 
+	 * ツリー構造を生成する
 	 */
 		createTree: function() {
 			// ツリービュー生成
@@ -282,7 +282,7 @@
 				},
 				"state": {
 					"key": 'jstree-' + $("#ViewSettingSiteId").val(),
-					"events": "open_all.jstree close_all.jstree changed.jstree open_node.jstree close_node.jstree check_node.jstree uncheck_node.jstree"	
+					"events": "open_all.jstree close_all.jstree changed.jstree open_node.jstree close_node.jstree check_node.jstree uncheck_node.jstree"
 				},
 				"contextmenu": {
 					"show_at_node": false,
@@ -601,7 +601,7 @@
 									}
 								} else {
 									if(!val.addDisabled) {
-										addMenu['Etc']['submenu'][i] = $.bcTree.createMenu(val, parent, data, counter);	
+										addMenu['Etc']['submenu'][i] = $.bcTree.createMenu(val, parent, data, counter);
 									}
 								}
 								counter++;
@@ -693,7 +693,7 @@
 				// TODO D&Dの際、子コンテンツのURLを返却し全てのコンテンツの確認ができるようにする
 				// =====================================================================================================
 				if(disableCheck) {
-					node.data.jstree.contentFullUrl = false;	
+					node.data.jstree.contentFullUrl = false;
 				}
 				
 				$(this).find('div.jstree-wholerow').each(function(){
@@ -1076,22 +1076,10 @@
 			if (first === undefined) {
 				first = false;
 			}
-			var oldTitle = defaultTitle
-				.replace(/^<span>/, '')
-				.replace(/<\/span>$/, '')
-				.replace(/&amp;/g, '&')
-				.replace(/&quot;/g, '"')
-				.replace(/&#039;/g, "'")
-				.replace(/&lt;/g, '<')
-				.replace(/&gt;/g, '>');
+			var oldTitle = defaultTitle;
 			$.bcTree.jsTree.edit(node, oldTitle, function (editNode) {
 				var newTitle = editNode.text;
-				$.bcTree.jsTree.rename_node(editNode, newTitle.replace(/&/g,'&amp;')
-                   			.replace(/"/g,'&quot;')
-                   			.replace(/'/g,'&#039;')
-                   			.replace(/</g,'&lt;')
-                   			.replace(/>/g,'&gt;')
-				);
+				$.bcTree.jsTree.rename_node(editNode, newTitle);
 				if (oldTitle === newTitle) {
 					return false;
 				}
@@ -1161,7 +1149,7 @@
 
 	/**
 	 * コンテンツを並び替える
-	 * 
+	 *
 	 * @param e
 	 * @param data
 	 */
@@ -1253,7 +1241,7 @@
 
 	/**
 	 * 外部よりメニューを表示する
-	 * 
+	 *
 	 * @param e
 	 * @returns {boolean}
 	 */
@@ -1270,7 +1258,7 @@
 
 	/**
 	 * Shift / Ctrl キーの押印状態を更新する
-	 * 
+	 *
 	 * @param e
 	 */
 		updateShiftAndCtrlOnAnchor: function(e) {
@@ -1293,4 +1281,4 @@
 		}
 		
 	};
-})(jQuery);
\ No newline at end of file
+})(jQuery);
  • lib/Baser/View/Elements/admin/contents/index_list_tree.php+1 1 modified
    @@ -74,7 +74,7 @@
 	"manageDisabled":"<?php echo $manageDisabled ?>",
 	"deleteDisabled":"<?php echo $deleteDisabled ?>"
 }'<?php if($open): ?> class="jstree-open"<?php endif ?>>
-			<span><?php echo h($data['Content']['title']) ?></span>
+			<?php echo h($data['Content']['title']) ?>
 			<?php if(!empty($data['children'])): ?>
 				<?php $this->BcBaser->element('admin/contents/index_list_tree', ['datas' => $data['children']]) ?>
 			<?php endif ?>
  • lib/Baser/webroot/js/admin/libs/jquery.bcTree.js+22 34 modified
    @@ -14,7 +14,7 @@
 
 (function($){
 	$.bcTree = {
-		
+	
 	/**
 	 * リンクをクリックする際にShiftキーを押しているかどうか
 	 */
@@ -31,12 +31,12 @@
 		contextmenuAddOnly: false,
 		
 	/**
-	 * 設定 BcManageContent より値を取得 
+	 * 設定 BcManageContent より値を取得
 	 */
 		settings: [],
 		
 	/**
-	 * ドラッグターゲット 
+	 * ドラッグターゲット
 	 */
 		dropTarget: null,
 		
@@ -46,17 +46,17 @@
 		dragTarget: null,
 		
 	/**
-	 * ツリー構造のDOM(jQueryオブジェクト) 
+	 * ツリー構造のDOM(jQueryオブジェクト)
 	 */
 		treeDom: null,
 		
 	/**
-	 * jsTree実体 
+	 * jsTree実体
 	 */
 		jsTree: null,
 
 	/**
-	 * 一覧を表示した時間 
+	 * 一覧を表示した時間
 	 */
 		listDisplayed: null,
 		
@@ -67,7 +67,7 @@
 
 	/**
 	 * ノードを移動する場合の直前のポジション
-	 */		
+	 */
 		beforePosition: null,
 
 	/**
@@ -97,7 +97,7 @@
 		},
 
 	/**
-	 * ツリーを読み込む 
+	 * ツリーを読み込む
 	 */
 		load: function () {
 			if(!$.bcTree._inited) {
@@ -136,15 +136,15 @@
 		},
 		
 	/**
-	 * ツリーを初期化する 
+	 * ツリーを初期化する
 	 */
 		_init: function() {
 			
 			$.bcTree.settings = $.parseJSON($("#BcManageContent").val());
 			$.bcTree.treeDom = $('#ContentsTreeList');
 			$.bcTree.createTree();
 			$.bcTree.jsTree = $.bcTree.treeDom.jstree(true);
-
+			$.bcTree.jsTree.settings.core.force_text = true;
 			$.bcTree.treeDom.bind("move_node.jstree", function(e, data){
 				$.bcTree.beforeParentId = data.old_parent;
 				$.bcTree.beforePosition = data.old_position;
@@ -176,7 +176,7 @@
 						} else {
 							$.bcTree.openUrl($.baseUrl + '/' + $.bcTree.config.adminPrefix + '/contents/edit_alias/' + data.contentId);
 						}
-					}	
+					}
 				}
 			});
 			
@@ -212,7 +212,7 @@
 		},
 
 	/**
-	 * ツリーを破棄する 
+	 * ツリーを破棄する
 	 */
 		destroy: function() {
 			if($.bcTree.treeDom) {
@@ -235,7 +235,7 @@
 		},
 
 	/**
-	 * ツリー構造を生成する 
+	 * ツリー構造を生成する
 	 */
 		createTree: function() {
 			// ツリービュー生成
@@ -282,7 +282,7 @@
 				},
 				"state": {
 					"key": 'jstree-' + $("#ViewSettingSiteId").val(),
-					"events": "open_all.jstree close_all.jstree changed.jstree open_node.jstree close_node.jstree check_node.jstree uncheck_node.jstree"	
+					"events": "open_all.jstree close_all.jstree changed.jstree open_node.jstree close_node.jstree check_node.jstree uncheck_node.jstree"
 				},
 				"contextmenu": {
 					"show_at_node": false,
@@ -601,7 +601,7 @@
 									}
 								} else {
 									if(!val.addDisabled) {
-										addMenu['Etc']['submenu'][i] = $.bcTree.createMenu(val, parent, data, counter);	
+										addMenu['Etc']['submenu'][i] = $.bcTree.createMenu(val, parent, data, counter);
 									}
 								}
 								counter++;
@@ -693,7 +693,7 @@
 				// TODO D&Dの際、子コンテンツのURLを返却し全てのコンテンツの確認ができるようにする
 				// =====================================================================================================
 				if(disableCheck) {
-					node.data.jstree.contentFullUrl = false;	
+					node.data.jstree.contentFullUrl = false;
 				}
 				
 				$(this).find('div.jstree-wholerow').each(function(){
@@ -1072,22 +1072,10 @@
 			if (first === undefined) {
 				first = false;
 			}
-			var oldTitle = defaultTitle
-				.replace(/^<span>/, '')
-				.replace(/<\/span>$/, '')
-				.replace(/&amp;/g, '&')
-				.replace(/&quot;/g, '"')
-				.replace(/&#039;/g, "'")
-				.replace(/&lt;/g, '<')
-				.replace(/&gt;/g, '>');
+			var oldTitle = defaultTitle;
 			$.bcTree.jsTree.edit(node, oldTitle, function (editNode) {
 				var newTitle = editNode.text;
-				$.bcTree.jsTree.rename_node(editNode, newTitle.replace(/&/g,'&amp;')
-                   			.replace(/"/g,'&quot;')
-                   			.replace(/'/g,'&#039;')
-                   			.replace(/</g,'&lt;')
-                   			.replace(/>/g,'&gt;')
-				);
+				$.bcTree.jsTree.rename_node(editNode, newTitle);
 				if (oldTitle === newTitle) {
 					return false;
 				}
@@ -1157,7 +1145,7 @@
 
 	/**
 	 * コンテンツを並び替える
-	 * 
+	 *
 	 * @param e
 	 * @param data
 	 */
@@ -1249,7 +1237,7 @@
 
 	/**
 	 * 外部よりメニューを表示する
-	 * 
+	 *
 	 * @param e
 	 * @returns {boolean}
 	 */
@@ -1266,7 +1254,7 @@
 
 	/**
 	 * Shift / Ctrl キーの押印状態を更新する
-	 * 
+	 *
 	 * @param e
 	 */
 		updateShiftAndCtrlOnAnchor: function(e) {
@@ -1289,4 +1277,4 @@
 		}
 		
 	};
-})(jQuery);
\ No newline at end of file
+})(jQuery);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.