Cross Site Scripting in baserCMS
Description
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a crafted nickname in blog comments. The issue affects the blog comment component. It is fixed in version 4.4.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BaserCMS 4.4.0 and earlier are vulnerable to stored XSS in blog comments via crafted nickname input.
Root
Cause
The vulnerability exists in the blog comment component of baserCMS before version 4.4.1. When displaying a blog comment, the $dbData['name'] field (the commenter's nickname) is echoed directly without proper escaping [4]. The fix introduces h() (likely htmlspecialchars) on the name output and adds 'escape' => true to the link helper, preventing HTML/JavaScript injection [4].
Exploitation
An attacker can exploit this by posting a blog comment containing malicious JavaScript in the nickname field [1][2]. The attack requires the blog to accept comments and use a theme that does not apply its own output escaping [3]. No authentication is needed beyond the ability to submit a comment on a public blog [3]. The injected script executes when any user views the blog comment page [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a logged-in victim's session [1][2]. This stored XSS can be used to steal session cookies, perform actions on behalf of the admin, or deface the site. The advisory notes that the same version also contains a separate code injection vulnerability in the admin panel [3].
Mitigation
The vulnerability is fixed in baserCMS version 4.4.1 [1][2][3]. Users are advised to upgrade immediately. There is no workaround provided for unpatched versions other than disabling blog comments or applying the theme-level escaping shown in the patch [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
baserproject/basercmsPackagist | >= 4.4.0, < 4.4.1 | 4.4.1 |
Affected products
2- baserproject/basercmsv5Range: >= 4.0.0, < 4.4.1
Patches
1d14f506385f2Merge pull request from GHSA-fw5q-j9p4-3vxg
2 files changed · +3 −3
lib/Baser/Config/theme/bc_sample/Elements/blog_comment.php+2 −2 modified@@ -25,9 +25,9 @@ <div class="bs-blog-comment__list-item" id="Comment<?php echo $dbData['no'] ?>"> <div class="bs-blog-comment__list-item-name"> <?php if ($dbData['url']): ?> - <?php $this->BcBaser->link($dbData['name'], $dbData['url'], ['target' => '_blank']) ?> + <?php $this->BcBaser->link($dbData['name'], $dbData['url'], ['target' => '_blank', 'escape' => true]) ?> <?php else: ?> - <?php echo $dbData['name'] ?> + <?php echo h($dbData['name']) ?> <?php endif ?> </div> <div class="bs-blog-comment__list-item-message">
lib/Baser/Plugin/Blog/View/Elements/blog_comments_scripts.php+1 −1 modified@@ -11,7 +11,7 @@ 'data-alertMessageComplate' => __('コメントの送信が完了しました。'), 'data-alertMessageError' => __('コメントの送信に失敗しました。入力内容を見なおしてください。'), ]); ?> -<div id="BaseUrl" style="display: none"><?php echo $this->request->base; ?></div> +<div id="BaseUrl" style="display: none"><?php echo h($this->request->base); ?></div> <script> authCaptcha = <?php echo $blogContent['BlogContent']['auth_captcha'] ? 'true' : 'false'; ?>;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-fw5q-j9p4-3vxgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15276ghsaADVISORY
- basercms.net/security/20201029ghsax_refsource_MISCWEB
- github.com/baserproject/basercms/commit/d14f506385f21d67d5ff3462f204d4c2321b7c54ghsax_refsource_MISCWEB
- github.com/baserproject/basercms/security/advisories/GHSA-fw5q-j9p4-3vxgghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.