Cross Site Scripting leading to RCE in baserCMS
Description
baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) and Remote Code Execution (RCE). This may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file.The affected components are ThemeFilesController.php and UploaderFilesController.php. This is fixed in version 4.3.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
baserCMS <=4.3.6 allows XSS and RCE via admin upload of PHP files, fixed in 4.3.7.
CVE-2020-15159 affects baserCMS version 4.3.6 and earlier, with cross-site scripting (XSS) and remote code execution (RCE) vulnerabilities. The issues reside in the ThemeFilesController.php and UploaderFilesController.php components, which allow a system administrator to upload executable script files such as PHP files [1][2].
To exploit the vulnerability, an attacker must have already obtained system administrator credentials and log in to the baserCMS admin panel. From there, they can upload a malicious PHP file through the theme or uploader file management interfaces, leading to code execution or XSS [2][3].
Successful exploitation enables an attacker to execute arbitrary code on the server or inject malicious scripts into web pages, potentially compromising the entire CMS and its data [1][3].
The vulnerability is fixed in baserCMS version 4.3.7. Users are advised to upgrade immediately or apply the provided security patches [2][3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
baserproject/basercmsPackagist | >= 4.0.0, < 4.3.7 | 4.3.7 |
Affected products
2- baserproject/basercmsv5Range: unspecified
Patches
116a7b3cd09a0Merge pull request from GHSA-673x-f5wx-fxpw
6 files changed · +10 −6
app/webroot/theme/admin-third/ThemeFiles/admin/form_folder.php+1 −1 modified@@ -25,7 +25,7 @@ <!-- current --> <div class="em-box bca-current-box"> - <?php echo __d('baser', '現在の位置')?>:<?php echo $currentPath ?> + <?php echo __d('baser', '現在の位置')?>:<?php echo h($currentPath) ?> </div> <?php if ($this->request->action == 'admin_add_folder'): ?>
app/webroot/theme/admin-third/ThemeFiles/admin/index.php+1 −1 modified@@ -45,7 +45,7 @@ <div id="MessageBox" style="display:none"><div id="flashMessage" class="notice-message"></div></div> <!-- current --> -<div class="em-box bca-current-box"><?php echo __d('baser', '現在の位置') ?>:<?php echo $currentPath ?> +<div class="em-box bca-current-box"><?php echo __d('baser', '現在の位置') ?>:<?php echo h($currentPath) ?> <?php if (!$writable): ?> <span style="color:#FF3300">[<?php echo __d('baser', '書込不可') ?>]</span> <?php endif ?>
lib/Baser/Plugin/Uploader/Config/setting.php+5 −1 modified@@ -46,6 +46,10 @@ ] ]; $config['Uploader'] = [ + // システム管理者によるアップロードでいかなる拡張子も許可する + 'allowedAdmin' => false, // システム管理者グループ以外のユーザーがアップロード可能なファイル(拡張子をカンマ区切りで指定する) - 'allowedExt' => 'gif,jpg,png,pdf,zip,doc,docx,xls,xlsx,ppt,pptx' + 'allowedExt' => 'gif,jpg,jpeg,png,ico,pdf,zip,doc,docx,xls,xlsx,ppt,pptx,txt', + // 'allowedExt' => 'mp4,mp3,mpg,mpeg,avi,wmv' // メディア例 + // 'allowedExt' => 'fon,ttf,ttc' // フォント例 ];
lib/Baser/Plugin/Uploader/Model/UploaderFile.php+1 −1 modified@@ -73,7 +73,7 @@ public function __construct($id = false, $table = null, $ds = null) { ] ] ]; - if(!BcUtil::isAdminUser()) { + if(!BcUtil::isAdminUser() || !Configure::read('Uploader.allowedAdmin')) { $this->validate['name'] = [ 'fileExt' => [ 'rule' => ['fileExt', Configure::read('Uploader.allowedExt')],
lib/Baser/View/ThemeFiles/admin/form_folder.php+1 −1 modified@@ -24,7 +24,7 @@ <div class="em-box align-left"> -<?php echo __d('baser', '現在の位置')?>:<?php echo $currentPath ?> +<?php echo __d('baser', '現在の位置')?>:<?php echo h($currentPath) ?> </div> <?php if ($this->request->action == 'admin_add_folder'): ?>
lib/Baser/View/ThemeFiles/admin/index.php+1 −1 modified@@ -44,7 +44,7 @@ <div id="MessageBox" style="display:none"><div id="flashMessage" class="notice-message"></div></div> <!-- current --> -<div class="em-box align-left"><?php echo __d('baser', '現在の位置')?>:<?php echo $currentPath ?> +<div class="em-box align-left"><?php echo __d('baser', '現在の位置')?>:<?php echo h($currentPath) ?> <?php if (!$writable): ?> <span style="color:#FF3300">[<?php echo __d('baser', '書込不可')?>]</span> <?php endif ?>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-673x-f5wx-fxpwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15159ghsaADVISORY
- basercms.net/security/20200827ghsax_refsource_MISCWEB
- github.com/baserproject/basercms/commit/16a7b3cd09a0ca355474119c76897eac2034a66dghsax_refsource_MISCWEB
- github.com/baserproject/basercms/security/advisories/GHSA-673x-f5wx-fxpwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.