VYPR
← All advisories
High severityNVD Advisory· Published Oct 30, 2020· Updated Aug 4, 2024

Remote Code Execution in baserCMS

CVE-2020-15277

Description

baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. The issue is fixed in version 4.4.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

baserCMS before 4.4.1 allows authenticated administrators to achieve remote code execution by uploading a malicious script via the Edit template component.

Vulnerability

baserCMS versions prior to 4.4.1 contain a remote code execution (RCE) vulnerability in the Edit template component. An authenticated system administrator can upload executable script files such as PHP, leading to arbitrary code execution on the server [1][2][4].

Exploitation

The attack requires administrator-level access to the baserCMS admin panel. By uploading a malicious PHP file through the vulnerable Edit template functionality, an attacker can execute arbitrary code. The vulnerability affects baserCMS versions 4.0.0 through 4.4.0 [2][3][4].

Impact

Successful exploitation allows an attacker to execute arbitrary PHP code, potentially leading to full compromise of the CMS and its data. The advisory also notes related cross-site scripting (XSS) issues in other components [3][4].

Mitigation

The vulnerability is fixed in baserCMS version 4.4.1. Administrators are advised to update immediately. The vendor has provided update instructions on their security page [1][3].

References
  1. Merge pull request from GHSA-6fmv-q269-55cw · baserproject/basercms@bb027c3
  2. NVD - CVE-2020-15277
  3. 2020/10/29 コードインジェクション、XSSの脆弱性
  4. Edit template, Remote Code Execution (RCE) Vulnerability in Latest Release 4.4.0

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
baserproject/basercmsPackagist
>= 4.4.0, < 4.4.14.4.1

Affected products

2

Patches

1
bb027c3967b0

Merge pull request from GHSA-6fmv-q269-55cw

https://github.com/baserproject/basercmsbaserprojectOct 29, 2020via ghsa
commit
8 files changed · +40 40
  • app/webroot/theme/admin-third/Elements/admin/feed_details/index_row.php+4 4 modified
    @@ -20,13 +20,13 @@
 	<td class="bca-table-listup__tbody-td" class="row-tools bca-table-listup__tbody-td">
 		<?php if ($this->BcBaser->isAdminUser()): ?>
 			<?php echo $this->BcForm->input('ListTool.batch_targets.' . $data['id'], ['type' => 'checkbox', 'label'=> '<span class="bca-visually-hidden">チェックする</span>', 'class' => 'batch-targets bca-checkbox__input', 'value' => $data['id']]) ?>
-		<?php endif ?>		
+		<?php endif ?>
 	</td>
 	<td class="bca-table-listup__tbody-td">
 		<?php if ($data['url']): ?>
-			<?php $this->BcBaser->link($data['name'], ['controller' => 'feed_details', 'action' => 'edit', $this->BcForm->value('FeedConfig.id'), $data['id']]) ?>
+			<?php $this->BcBaser->link($data['name'], ['controller' => 'feed_details', 'action' => 'edit', $this->BcForm->value('FeedConfig.id'), $data['id']], ['escape' => true]) ?>
 		<?php else: ?>
-			<?php echo $data['name'] ?>
+			<?php echo h($data['name']) ?>
 		<?php endif; ?>
 	</td>
 	<td class="bca-table-listup__tbody-td"><?php echo $data['category_filter'] ?></td>
@@ -39,4 +39,4 @@
 		<?php $this->BcBaser->link('', ['controller' => 'feed_details', 'action' => 'edit', $this->BcForm->value('FeedConfig.id'), $data['id']], ['title' => __d('baser', '編集'), 'class' => 'bca-btn-icon', 'data-bca-btn-type' => 'edit','data-bca-btn-size' => 'lg']) ?>
 		<?php $this->BcBaser->link('', ['controller' => 'feed_details', 'action' => 'ajax_delete', $this->BcForm->value('FeedConfig.id'), $data['id']], ['title' => __d('baser', '削除'), 'class' => 'btn-delete bca-btn-icon', 'data-bca-btn-type' => 'delete','data-bca-btn-size' => 'lg']) ?>
 	</td>
-</tr>
\ No newline at end of file
+</tr>
  • app/webroot/theme/admin-third/Elements/admin/sites/index_row.php+2 2 modified
    @@ -26,7 +26,7 @@
 
 <tr id="Row<?php echo $count ?>" <?php echo $class; ?>>
 	<td class="bca-table-listup__tbody-td" style="width:5%"><?php echo $data['Site']['id']; ?></td>
-	<td class="bca-table-listup__tbody-td"><?php echo $data['Site']['display_name'] ?></td>
+	<td class="bca-table-listup__tbody-td"><?php echo h($data['Site']['display_name']) ?></td>
 	<td class="bca-table-listup__tbody-td"><?php $this->BcBaser->link($data['Site']['name'], ['action' => 'edit', $data['Site']['id']]); ?><br>
 		<?php echo $data['Site']['alias'] ?>
 	</td>
@@ -53,4 +53,4 @@
 <?php endif ?>
 		<?php $this->BcBaser->link('', ['action' => 'edit', $data['Site']['id']], ['title' => __d('baser', '編集'), 'class' => ' bca-btn-icon', 'data-bca-btn-type' => 'edit','data-bca-btn-size' => 'lg']) ?>
 	</td>
-</tr>
\ No newline at end of file
+</tr>
  • app/webroot/theme/admin-third/Elements/admin/uploader_categories/index_row.php+1 1 modified
    @@ -19,7 +19,7 @@
 <?php endif ?>
 	</td>
 	<td class="bca-table-listup__tbody-td"><?php echo $data['UploaderCategory']['id'] ?></td>
-	<td class="bca-table-listup__tbody-td"><?php echo $data['UploaderCategory']['name'] ?></td>
+	<td class="bca-table-listup__tbody-td"><?php echo h($data['UploaderCategory']['name']) ?></td>
 	<?php echo $this->BcListTable->dispatchShowRow($data) ?>
 	<td class="bca-table-listup__tbody-td">
 		<?php echo $data['UploaderCategory']['created'] ?><br />
  • app/webroot/theme/admin-third/WidgetAreas/admin/form.php+14 14 modified
    @@ -58,7 +58,7 @@
 
 				<h2><?php echo __d('baser', '利用できるウィジェット') ?></h2>
 				<?php foreach ($widgetInfos as $widgetInfo) : ?>
-					<h3><?php echo $widgetInfo['title'] ?></h3>
+					<h3><?php echo h($widgetInfo['title']) ?></h3>
 					<?php
 					$widgets = [];
 					foreach ($widgetInfo['paths'] as $path) {
@@ -85,20 +85,20 @@
 					<?php foreach ($widgets as $widget): ?>
 
 						<div class="ui-widget-content draggable widget" id="Widget<?php echo Inflector::camelize($widget['name']) ?>">
-							<div class="head"><?php echo $widget['title'] ?></div>
+							<div class="head"><?php echo h($widget['title']) ?></div>
 						</div>
 
-						<div class="description"><?php echo $widget['description'] ?></div>
+						<div class="description"><?php echo h($widget['description']) ?></div>
 
-						<div class="ui-widget-content sortable widget template <?php echo $widget['name'] ?>" id="<?php echo Inflector::camelize($widget['name']) ?>">
+						<div class="ui-widget-content sortable widget template <?php echo h($widget['name']) ?>" id="<?php echo Inflector::camelize($widget['name']) ?>">
 							<div class="clearfix">
-								<div class="widget-name display-none"><?php echo $widget['name'] ?></div>
+								<div class="widget-name display-none"><?php echo h($widget['name']) ?></div>
 								<div class="del"><?php echo __d('baser', '削除') ?></div>
 								<div class="action"><?php echo __d('baser', '設定') ?></div>
-								<div class="head"><?php echo $widget['title'] ?></div>
+								<div class="head"><?php echo h($widget['title']) ?></div>
 							</div>
 							<div class="content" style="text-align:right">
-								<p class="widget-name"><small><?php echo $widget['title'] ?></small></p>
+								<p class="widget-name"><small><?php echo h($widget['title']) ?></small></p>
 								<?php echo $this->BcForm->create('Widget', ['url' => ['controller' => 'widget_areas', 'action' => 'update_widget', $this->BcForm->value('WidgetArea.id')], 'class' => 'form']) ?>
 								<?php echo $this->BcForm->input('Widget.id', ['type' => 'hidden', 'class' => 'id']) ?>
 								<?php echo $this->BcForm->input('Widget.type', ['type' => 'hidden', 'value' => $widget['title']]) ?>
@@ -134,15 +134,15 @@
 						<?php $key = key($widget) ?>
 						<?php $enabled = '' ?>
 						<?php if ($widget[$key]['status']): ?>
-				<?php $enabled = ' enabled' ?>
-			<?php endif ?>
+							<?php $enabled = ' enabled' ?>
+						<?php endif ?>
 
-						<div class="ui-widget-content sortable widget setting <?php echo $widget[$key]['element'] ?><?php echo $enabled ?>" id="Setting<?php echo $widget[$key]['id'] ?>">
+						<div class="ui-widget-content sortable widget setting <?php echo h($widget[$key]['element']) ?><?php echo $enabled ?>" id="Setting<?php echo $widget[$key]['id'] ?>">
 							<div class="clearfix">
-								<div class="widget-name display-none"><?php echo $widget[$key]['element'] ?></div>
+								<div class="widget-name display-none"><?php echo h($widget[$key]['element']) ?></div>
 								<div class="del"><?php echo __d('baser', '削除') ?></div>
 								<div class="action"><?php echo __d('baser', '設定') ?></div>
-								<div class="head"><?php echo $widget[$key]['name'] ?></div>
+								<div class="head"><?php echo h($widget[$key]['name']) ?></div>
 							</div>
 							<div class="content" style="text-align:right">
 								<p><small><?php echo $widget[$key]['type'] ?></small></p>
@@ -161,8 +161,8 @@
 								<?php echo $this->BcForm->end(['label' => __d('baser', '保存'), 'div' => false, 'id' => 'WidgetUpdateWidgetSubmit' . $widget[$key]['id'], 'class' => 'button bca-btn', 'data-bca-btn-type' => 'save']) ?></p>
 							</div>
 						</div>
-		<?php endforeach; ?>
-	<?php endif; ?>
+					<?php endforeach; ?>
+				<?php endif; ?>
 			</div>
 		</div>
 	</div>
  • lib/Baser/Plugin/Feed/View/Elements/admin/feed_details/index_row.php+4 4 modified
    @@ -21,21 +21,21 @@
 	<td class="row-tools">
 		<?php if ($this->BcBaser->isAdminUser()): ?>
 			<?php echo $this->BcForm->checkbox('ListTool.batch_targets.' . $data['id'], array('type' => 'checkbox', 'class' => 'batch-targets', 'value' => $data['id'])) ?>
-		<?php endif ?>		
+		<?php endif ?>
 		<?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_check.png', array('alt' => __d('baser', '確認'), 'class' => 'btn')), $data['url'], array('title' => __d('baser', '確認'), 'target' => '_blank')) ?>
 		<?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_edit.png', array('alt' => __d('baser', '編集'), 'class' => 'btn')), array('controller' => 'feed_details', 'action' => 'edit', $this->BcForm->value('FeedConfig.id'), $data['id']), array('title' => __d('baser', '編集'))) ?>
 		<?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_delete.png', array('alt' => __d('baser', '削除'), 'class' => 'btn')), array('controller' => 'feed_details', 'action' => 'ajax_delete', $this->BcForm->value('FeedConfig.id'), $data['id']), array('title' => __d('baser', '削除'), 'class' => 'btn-delete')) ?>
 	</td>
 	<td>
 		<?php if ($data['url']): ?>
-			<?php $this->BcBaser->link($data['name'], array('controller' => 'feed_details', 'action' => 'edit', $this->BcForm->value('FeedConfig.id'), $data['id'])) ?>
+			<?php $this->BcBaser->link($data['name'], array('controller' => 'feed_details', 'action' => 'edit', $this->BcForm->value('FeedConfig.id'), $data['id']), ['escape' => true]) ?>
 		<?php else: ?>
-			<?php echo $data['name'] ?>
+			<?php echo h($data['name']) ?>
 		<?php endif; ?>
 	</td>
 	<td><?php echo $data['category_filter'] ?></td>
 	<td><?php echo $this->BcText->listValue('FeedDetail.cache_time', $data['cache_time']) ?></td>
 	<?php echo $this->BcListTable->dispatchShowRow($data) ?>
 	<td><?php echo $this->BcTime->format('Y-m-d', $data['created']) ?><br />
 		<?php echo $this->BcTime->format('Y-m-d', $data['modified']) ?></td>
-</tr>
\ No newline at end of file
+</tr>
  • lib/Baser/View/Elements/admin/sites/index_row.php+4 4 modified
    @@ -34,9 +34,9 @@
 		<?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_edit.png', ['alt' => __d('baser', '編集'), 'class' => 'btn']), ['action' => 'edit', $data['Site']['id']], ['title' => __d('baser', '編集')]) ?>
 	</td>
 	<td style="width:5%"><?php echo $data['Site']['id']; ?></td>
-	<td><?php echo $data['Site']['display_name'] ?></td>
-	<td><?php $this->BcBaser->link($data['Site']['name'], ['action' => 'edit', $data['Site']['id']]); ?><br>
-		<?php echo $data['Site']['alias'] ?>
+	<td><?php echo h($data['Site']['display_name']) ?></td>
+	<td><?php $this->BcBaser->link($data['Site']['name'], ['action' => 'edit', $data['Site']['id']], ['escape' => true]); ?><br>
+		<?php echo h($data['Site']['alias']) ?>
 	</td>
 	<td style="width:5%;" class="align-center status">
 		<?php echo $this->BcText->booleanMark($data['Site']['status']); ?><br />
@@ -53,4 +53,4 @@
 		<?php echo $this->BcTime->format('Y-m-d', $data['Site']['created']) ?><br />
 		<?php echo $this->BcTime->format('Y-m-d', $data['Site']['modified']) ?>
 	</td>
-</tr>
\ No newline at end of file
+</tr>
  • lib/Baser/View/Elements/admin/widget_areas/index_row.php+2 2 modified
    @@ -25,8 +25,8 @@
 		<?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_delete.png', ['alt' => __d('baser', '削除'), 'class' => 'btn']), ['action' => 'ajax_delete', $data['WidgetArea']['id']], ['title' => __d('baser', '削除'), 'class' => 'btn-delete']) ?>
 	</td>
 	<td><?php echo $data['WidgetArea']['id']; ?></td>
-	<td><?php $this->BcBaser->link($data['WidgetArea']['name'], ['action' => 'edit', $data['WidgetArea']['id']]); ?></td>
+	<td><?php $this->BcBaser->link($data['WidgetArea']['name'], ['action' => 'edit', $data['WidgetArea']['id']], ['escape' => true]); ?></td>
 	<td><?php echo $data['WidgetArea']['count']; ?></td>
 	<td><?php echo $this->BcTime->format('Y-m-d', $data['WidgetArea']['created']); ?><br />
 		<?php echo $this->BcTime->format('Y-m-d', $data['WidgetArea']['modified']); ?></td>
-</tr>
\ No newline at end of file
+</tr>
  • lib/Baser/View/WidgetAreas/admin/form.php+9 9 modified
    @@ -59,7 +59,7 @@
 
 				<h2><?php echo __d('baser', '利用できるウィジェット')?></h2>
 				<?php foreach ($widgetInfos as $widgetInfo) : ?>
-					<h3><?php echo $widgetInfo['title'] ?></h3>
+					<h3><?php echo h($widgetInfo['title']) ?></h3>
 					<?php
 					$widgets = [];
 					foreach ($widgetInfo['paths'] as $path) {
@@ -86,20 +86,20 @@
 					<?php foreach ($widgets as $widget): ?>
 
 						<div class="ui-widget-content draggable widget" id="Widget<?php echo Inflector::camelize($widget['name']) ?>">
-							<div class="head"><?php echo $widget['title'] ?></div>
+							<div class="head"><?php echo h($widget['title']) ?></div>
 						</div>
 
-						<div class="description"><?php echo $widget['description'] ?></div>
+						<div class="description"><?php echo h($widget['description']) ?></div>
 
-						<div class="ui-widget-content sortable widget template <?php echo $widget['name'] ?>" id="<?php echo Inflector::camelize($widget['name']) ?>">
+						<div class="ui-widget-content sortable widget template <?php echo h($widget['name']) ?>" id="<?php echo Inflector::camelize($widget['name']) ?>">
 							<div class="clearfix">
-								<div class="widget-name display-none"><?php echo $widget['name'] ?></div>
+								<div class="widget-name display-none"><?php echo h($widget['name']) ?></div>
 								<div class="del"><?php echo __d('baser', '削除')?></div>
 								<div class="action"><?php echo __d('baser', '設定')?></div>
 								<div class="head"><?php echo $widget['title'] ?></div>
 							</div>
 							<div class="content" style="text-align:right">
-								<p class="widget-name"><small><?php echo $widget['title'] ?></small></p>
+								<p class="widget-name"><small><?php echo h($widget['title']) ?></small></p>
 								<?php echo $this->BcForm->create('Widget', ['url' => ['controller' => 'widget_areas', 'action' => 'update_widget', $this->BcForm->value('WidgetArea.id')], 'class' => 'form']) ?>
 								<?php echo $this->BcForm->input('Widget.id', ['type' => 'hidden', 'class' => 'id']) ?>
 								<?php echo $this->BcForm->input('Widget.type', ['type' => 'hidden', 'value' => $widget['title']]) ?>
@@ -138,12 +138,12 @@
 				<?php $enabled = ' enabled' ?>
 			<?php endif ?>
 
-						<div class="ui-widget-content sortable widget setting <?php echo $widget[$key]['element'] ?><?php echo $enabled ?>" id="Setting<?php echo $widget[$key]['id'] ?>">
+						<div class="ui-widget-content sortable widget setting <?php echo h($widget[$key]['element']) ?><?php echo $enabled ?>" id="Setting<?php echo $widget[$key]['id'] ?>">
 							<div class="clearfix">
-								<div class="widget-name display-none"><?php echo $widget[$key]['element'] ?></div>
+								<div class="widget-name display-none"><?php echo h($widget[$key]['element']) ?></div>
 								<div class="del"><?php echo __d('baser', '削除')?></div>
 								<div class="action"><?php echo __d('baser', '設定')?></div>
-								<div class="head"><?php echo $widget[$key]['name'] ?></div>
+								<div class="head"><?php echo h($widget[$key]['name']) ?></div>
 							</div>
 							<div class="content" style="text-align:right">
 								<p><small><?php echo $widget[$key]['type'] ?></small></p>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.