Cross-Site Scripting in baserCMS
Description
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. The issue affects the following components: Edit feed settings, Edit widget area, Sub site new registration, New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can access the file upload function category list, subsite setting list, widget area edit, and feed list on the management screen. The issue was introduced in version 4.0.0. It is fixed in version 4.4.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
baserCMS 4.0.0–4.4.0 contains multiple stored XSS flaws that allow admin-level users to execute arbitrary JavaScript via input in feed, widget, sub-site, and category settings.
Vulnerability
Overview
baserCMS versions 4.0.0 through 4.4.0 are affected by a stored Cross-Site Scripting (XSS) vulnerability that manifests in the Edit feed settings, Edit widget area, Sub site new registration, and New category registration components [2]. The root cause is insufficient sanitization of user-supplied input in these administrative forms. Arbitrary JavaScript can be injected by an authenticated user who has access to the file upload function category list, subsite setting list, widget area edit, and feed list on the management screen [2].
Exploitation and
Attack Surface
An attacker must first have an administrative account with the necessary privileges to access the affected management screens [4]. No other external trigger is required—once the malicious input is saved via the web interface, the payload is stored and executed in the context of any administrator viewing those pages. The attack vector is therefore cross-site scripting via stored payloads, with the attacker relying on a legitimate session to inject the script [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any administrator who visits the compromised management page. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the administrative dashboard [4]. Because the vulnerability is stored, the malicious script persists until the input is removed or patched.
Mitigation
The vulnerability was introduced in baserCMS version 4.0.0 and is fixed in version 4.4.1 [1][2]. Users should upgrade to baserCMS 4.4.1 or later. BaserCMS has published a security advisory and a patch commit that includes additional permission checks and output encoding to prevent the XSS [1][4]. No workaround is available for versions below 4.4.1.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
baserproject/basercmsPackagist | >= 4.4.0, < 4.4.1 | 4.4.1 |
Affected products
2- baserproject/basercmsv5Range: >= 4.0.0, < 4.4.1
Patches
1b70474ef9dceMerge pull request from GHSA-wpww-4jf4-4hx8
8 files changed · +48 −18
app/webroot/theme/admin-third/Elements/admin/themes/index_list.php+4 −2 modified@@ -35,7 +35,9 @@ <?php endif ?> </div> <div class="row-tools"> - <?php $this->BcBaser->link('', ['controller' => 'theme_files', 'action' => 'index', $currentTheme['name']], ['title' => __d('baser', 'テンプレート編集'), 'class' => 'bca-btn-icon', 'data-bca-btn-type' => 'file-list', 'data-bca-btn-size' => 'lg']) ?> + <?php if (Configure::read('BcApp.allowedThemeEdit')): ?> + <?php $this->BcBaser->link('', ['controller' => 'theme_files', 'action' => 'index', $currentTheme['name']], ['title' => __d('baser', 'テンプレート編集'), 'class' => 'bca-btn-icon', 'data-bca-btn-type' => 'file-list', 'data-bca-btn-size' => 'lg']) ?> + <?php endif; ?> <?php $this->BcBaser->link('', ['action' => 'ajax_copy', $currentTheme['name']], ['title' => __d('baser', 'テーマコピー'), 'class' => 'btn-copy bca-btn-icon', 'data-bca-btn-type' => 'copy', 'data-bca-btn-size' => 'lg']) ?> </div> </div> @@ -74,4 +76,4 @@ <?php else: ?> <li class="no-data"><?php echo __d('baser', '変更できるテーマがありません。') ?><br><?php echo __d('baser', '<a href="https://market.basercms.net/" target="_blank">baserマーケット</a>でテーマをダウンロードしましょう。') ?></li> <?php endif; ?> -</ul> \ No newline at end of file +</ul>
app/webroot/theme/admin-third/Elements/admin/themes/index_row.php+2 −0 modified@@ -31,7 +31,9 @@ <?php if ($data['name'] != $this->BcBaser->siteConfig['theme']): ?> <?php $this->BcBaser->link('', ['action' => 'apply', $data['name']], ['title' => __d('baser', '適用'), 'class' => 'submit-token bca-btn-icon', 'data-bca-btn-type' => 'apply', 'data-bca-btn-size' => 'lg']) ?> <?php endif ?> + <?php if (Configure::read('BcApp.allowedThemeEdit')): ?> <?php $this->BcBaser->link('', ['controller' => 'theme_files', 'action' => 'index', $data['name']], ['title' => __d('baser', 'テンプレート編集'), 'class' => 'bca-btn-icon', 'data-bca-btn-type' => 'file-list', 'data-bca-btn-size' => 'lg']) ?> + <?php endif; ?> <?php $this->BcBaser->link('', ['action' => 'ajax_copy', $data['name']], ['title' => __d('baser', 'テーマコピー'), 'class' => 'btn-copy bca-btn-icon', 'data-bca-btn-type' => 'copy', 'data-bca-btn-size' => 'lg']) ?> <?php $this->BcBaser->link('', ['action' => 'ajax_delete', $data['name']], ['title' => __d('baser', 'テーマ削除'), 'class' => 'btn-delete bca-btn-icon', 'data-bca-btn-type' => 'delete', 'data-bca-btn-size' => 'lg']) ?> </p>
app/webroot/theme/admin-third/ThemeFiles/admin/form.php+3 −2 modified@@ -105,12 +105,13 @@ <div class="bca-actions__sub"> <?php $this->BcBaser->link(__d('baser', '削除'), array_merge(['action' => 'del', $theme, $plugin, $type], $params), ['class' => 'submit-token button bca-btn', 'data-bca-btn-type' => 'delete', 'data-bca-btn-size' => 'sm'], sprintf(__d('baser', '%s を本当に削除してもいいですか?'), basename($path)), false) ?> </div> - <?php endif ?> + <?php endif ?> <?php else: ?> <?php // プラグインのアセットの場合はコピーできない ?> <?php if (!$safeModeOn): ?> <?php //if($theme == 'core' && !(($type == 'css' || $type == 'js' || $type == 'img') && $plugin)): ?> - <?php if ($theme == 'core'): ?> + <?php // テーマ編集が許可されていない場合コピー不可 ?> + <?php if ($theme == 'core' && Configure::read('BcApp.allowedThemeEdit')): ?> <?php $this->BcBaser->link(__d('baser', '現在のテーマにコピー'), array_merge(array('action' => 'copy_to_theme', $theme, $plugin, $type), explode('/', $path)), array('class' => 'submit-token btn-red button bca-btn'), sprintf(__d('baser', '本当に現在のテーマ「%s」にコピーしてもいいですか?\n既に存在するファイルは上書きされます。'), Inflector::camelize($siteConfig['theme']))); ?> <?php endif; ?> <?php else: ?>
lib/Baser/Config/setting.php+2 −0 modified@@ -176,6 +176,8 @@ 'validSyntaxWithPage' => true, // 管理者以外のPHPコードを許可するかどうか 'allowedPhpOtherThanAdmins' => true, + // テーマ編集機能の利用を許可するかどうか + 'allowedThemeEdit' => false, 'marketThemeRss' => 'https://market.basercms.net/themes.rss', 'marketPluginRss' => 'https://market.basercms.net/plugins.rss', 'specialThanks' => 'https://basercms.net/special_thanks/special_thanks/ajax_users',
lib/Baser/Controller/ThemeFilesController.php+27 −9 modified@@ -74,6 +74,24 @@ public function __construct(CakeRequest $request, CakeResponse $response) { $this->crumbs = [ ['name' => __d('baser', 'テーマ管理'), 'url' => ['admin' => true, 'controller' => 'themes', 'action' => 'index']] ]; + + // テーマ編集機能が制限されている場合はアクセス禁止 + if (Configure::read('BcApp.allowedThemeEdit') == false) { + $denyList = [ + 'admin_index', + 'admin_add', + 'admin_edit', + 'admin_add_folder', + 'admin_edit_folder', + ]; + // coreのindexはアクセス可能 + if ($this->request->params['pass'][0] === 'core') { + unset($denyList[array_search('admin_index', $denyList)]); + } + if (in_array($this->request->action, $denyList)) { + $this->notfound(); + } + } } /** @@ -136,13 +154,13 @@ public function admin_index() { $excludeFileList = ['screenshot.png', 'VERSION.txt', 'config.php', 'AppView.php', 'BcAppView.php']; if (!$path) { $excludeFolderList = [ - 'Layouts', - 'Elements', + 'Layouts', + 'Elements', 'Emails', - 'Helper', + 'Helper', 'Config', - 'Plugin', - 'img', + 'Plugin', + 'img', 'css', 'js', '_notes' @@ -185,9 +203,9 @@ public function admin_index() { /** * ファイルタイプを取得する - * + * * @param string $file - * @return mixed false / type + * @return mixed false / type */ protected function _getFileType($file) { if (preg_match('/^(.+?)(\.ctp|\.php|\.css|\.js)$/is', $file)) { @@ -873,7 +891,7 @@ public function admin_copy_folder_to_theme() { /** * 画像を表示する * コアの画像等も表示可 - * + * * @param array パス情報 * @return void */ @@ -901,7 +919,7 @@ public function admin_img() { /** * 画像を表示する * コアの画像等も表示可 - * + * * @param int $width * @param int $height * @param array パス情報
lib/Baser/View/Elements/admin/themes/index_list.php+4 −2 modified@@ -35,7 +35,9 @@ <?php endif ?> </div> <p class="row-tools"> - <?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_manage.png', ['alt' => __d('baser', 'テンプレート編集'), 'class' => 'btn']), ['controller' => 'theme_files', 'action' => 'index', $currentTheme['name']], ['title' => __d('baser', 'テンプレート編集')]) ?> + <?php if (Configure::read('BcApp.allowedThemeEdit')): ?> + <?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_manage.png', ['alt' => __d('baser', 'テンプレート編集'), 'class' => 'btn']), ['controller' => 'theme_files', 'action' => 'index', $currentTheme['name']], ['title' => __d('baser', 'テンプレート編集')]) ?> + <?php endif; ?> <?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_copy.png', ['alt' => __d('baser', 'テーマコピー'), 'class' => 'btn']), ['action' => 'ajax_copy', $currentTheme['name']], ['title' => __d('baser', 'テーマコピー'), 'class' => 'btn-copy']) ?> </p> </div> @@ -76,4 +78,4 @@ <li class="no-data"><?php echo __d('baser', '変更できるテーマがありません。')?><br /><a href="https://market.basercms.net/" target="_blank"><?php echo __d('baser', 'baserマーケット</a>でテーマをダウンロードしましょう。')?></li> <?php endif ?> <?php endif; ?> -</ul> \ No newline at end of file +</ul>
lib/Baser/View/Elements/admin/themes/index_row.php+3 −1 modified@@ -31,7 +31,9 @@ <?php if ($data['name'] != $this->BcBaser->siteConfig['theme']): ?> <?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_apply.png', ['alt' => __d('baser', '適用'), 'class' => 'btn']), ['action' => 'apply', $data['name']], ['title' => __d('baser', '適用'), 'class' => 'submit-token']) ?> <?php endif ?> - <?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_manage.png', ['alt' => __d('baser', 'テンプレート編集'), 'class' => 'btn']), ['controller' => 'theme_files', 'action' => 'index', $data['name']], ['title' => __d('baser', 'テンプレート編集')]) ?> + <?php if (Configure::read('BcApp.allowedThemeEdit')): ?> + <?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_manage.png', ['alt' => __d('baser', 'テンプレート編集'), 'class' => 'btn']), ['controller' => 'theme_files', 'action' => 'index', $data['name']], ['title' => __d('baser', 'テンプレート編集')]) ?> + <?php endif; ?> <?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_copy.png', ['alt' => __d('baser', 'テーマコピー'), 'class' => 'btn']), ['action' => 'ajax_copy', $data['name']], ['title' => __d('baser', 'テーマコピー'), 'class' => 'btn-copy']) ?> <?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_delete.png', ['alt' => __d('baser', 'テーマ削除'), 'class' => 'btn']), ['action' => 'ajax_delete', $data['name']], ['title' => __d('baser', 'テーマ削除'), 'class' => 'btn-delete']) ?> </p>
lib/Baser/View/ThemeFiles/admin/form.php+3 −2 modified@@ -102,13 +102,14 @@ <?php if($isWritable): ?> <?php echo $this->BcForm->submit(__d('baser', '保存'), ['div' => false, 'class' => 'button', 'id' => 'BtnSave']) ?> <?php $this->BcBaser->link(__d('baser', '削除'), array_merge(['action' => 'del', $theme, $plugin, $type], $params), ['class' => 'submit-token button'], sprintf(__d('baser', '%s を本当に削除してもいいですか?'), basename($path)), false) ?> - <?php endif ?> + <?php endif ?> <?php else: ?> <?php $this->BcBaser->link(__d('baser', '一覧に戻る'), array_merge(['action' => 'index', $theme, $plugin, $type], $parentPrams), ['class' => 'btn-gray button']); ?> <?php // プラグインのアセットの場合はコピーできない ?> <?php if (!$safeModeOn): ?> <?php //if($theme == 'core' && !(($type == 'css' || $type == 'js' || $type == 'img') && $plugin)): ?> - <?php if ($theme == 'core'): ?> + <?php // テーマ編集が許可されていない場合コピー不可 ?> + <?php if ($theme == 'core' && Configure::read('BcApp.allowedThemeEdit')): ?> <?php $this->BcBaser->link(__d('baser', '現在のテーマにコピー'), array_merge(['action' => 'copy_to_theme', $theme, $plugin, $type], explode('/', $path)), ['class' => 'submit-token btn-red button'], sprintf(__d('baser', "本当に現在のテーマ「 %s 」にコピーしてもいいですか?\n既に存在するファイルは上書きされます。"), Inflector::camelize($siteConfig['theme']))); ?> <?php endif; ?> <?php else: ?>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-wpww-4jf4-4hx8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15273ghsaADVISORY
- github.com/baserproject/basercms/commit/b70474ef9dcee6ad8826360884625dc7ca9041a1ghsax_refsource_MISCWEB
- github.com/baserproject/basercms/security/advisories/GHSA-wpww-4jf4-4hx8ghsax_refsource_CONFIRMWEB
- packagist.org/packages/baserproject/basercmsghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.