VYPR
← All advisories
Moderate severityNVD Advisory· Published Nov 25, 2022· Updated Apr 23, 2025

Cross-site scripting vulnerability in BaserCMS

CVE-2022-39325

Description

BaserCMS is a content management system with a japanese language focus. In affected versions there is a cross-site scripting vulnerability on the management system of baserCMS. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. Users of baserCMS are advised to upgrade as soon as possible. There are no known workarounds for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

BaserCMS 4.7.1 and earlier contain a stored cross-site scripting vulnerability in the management system, enabling script injection via unescaped output.

Vulnerability

Overview CVE-2022-39325 is a cross-site scripting (XSS) vulnerability affecting the management system of BaserCMS, a content management system with a Japanese language focus. The root cause is the failure to properly escape output when rendering user-controlled data in several administrative views, such as the favorites list, permission settings, and user group management screens [2]. The commit that fixes the issue applies the h() helper function to values like Dblog.name, Favorite['Favorite']['name'], Permission['url'], and others, indicating that these fields were previously output without HTML escaping [2].

Attack

Vector and Prerequisites The vulnerability resides in the administrative interface and can be exploited when the management system is used by an unspecified number of users, such as in multi-tenant or shared hosting environments [1][3]. An attacker with the ability to input or modify data in the affected fields (e.g., creating or editing favorites, permissions, or user groups) can inject malicious JavaScript code. The injected script is then stored and executed in the browsers of other administrators who view the same pages, leading to a stored XSS attack [2][3].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser session. This can lead to page content alteration, theft of session cookies (potentially enabling session hijacking), and other actions that the victim can perform within the management system [3]. The CVSS v3.1 score is 6.1 (Medium) for the network-based, low-complexity attack that requires user interaction, but the real-world impact is elevated when multiple users access the same admin panel [1].

Mitigation and

Remediation The vendor has addressed this vulnerability in a subsequent release of BaserCMS. Users are strongly advised to upgrade to the latest version as soon as possible [1][3]. The official security advisory from the BaserCMS project also notes that no workarounds are available, meaning updating is the only definitive fix [3]. The fix itself involves adding proper HTML encoding to previously unescaped template outputs [2].

References
  1. NVD - CVE-2022-39325
  2. Merge remote-tracking branch 'basercms-ghsa-395x-wv32-44v5/advisory-f… · baserproject/basercms@b6f8a54
  3. 2022/11/24 baserCMS における複数のクロスサイトスクリプティングの脆弱性

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
baserproject/basercmsPackagist
< 4.7.24.7.2

Affected products

2

Patches

1
b6f8a54e90de

Merge remote-tracking branch 'basercms-ghsa-395x-wv32-44v5/advisory-fix-1' into dev-4

https://github.com/baserproject/basercmsgondohNov 24, 2022via ghsa
commit
10 files changed · +10 10
  • app/webroot/theme/admin-third/Elements/admin/dblogs/index_row.php+1 1 modified
    @@ -22,7 +22,7 @@ class="bca-table-listup__tbody-td"
 		<?= Hash::get($row, 'Dblog.id') ?>
 	</td>
 	<td class="bca-table-listup__tbody-td">
-		<?= Hash::get($row, 'Dblog.name') ?>
+		<?= h(Hash::get($row, 'Dblog.name')) ?>
 	</td>
 	<td class="bca-table-listup__tbody-td">
 		<?php if ($row['Dblog']['user_id']): ?>
  • app/webroot/theme/admin-third/Elements/admin/favorite_menu_row.php+1 1 modified
    @@ -21,7 +21,7 @@
 	<?php $this->BcBaser->link(
 		'<span class="bca-nav-favorite-list-item-label">' . h($favorite['Favorite']['name']) . '</span>',
 		$favorite['Favorite']['url'],
-		['title' => Router::url($favorite['Favorite']['url'], true)]
+		['title' => h(Router::url($favorite['Favorite']['url'], true))]
 	) ?>
 	<?php echo $this->BcForm->input('Favorite.id.' . $favorite['Favorite']['id'], ['type' => 'hidden', 'value' => $favorite['Favorite']['id'], 'class' => 'favorite-id']) ?>
 	<?php echo $this->BcForm->input('Favorite.name.' . $favorite['Favorite']['id'], ['type' => 'hidden', 'value' => $favorite['Favorite']['name'], 'class' => 'favorite-name']) ?>
  • app/webroot/theme/admin-third/Elements/admin/permissions/index_row.php+1 1 modified
    @@ -39,7 +39,7 @@
 	<td class="bca-table-listup__tbody-td">
 		<?php $this->BcBaser->link($data['Permission']['name'], ['action' => 'edit', $this->request->params['pass'][0], $data['Permission']['id']], ['escape' => true]) ?>
 		<br>
-		<?php echo $data['Permission']['url']; ?>
+		<?php echo h($data['Permission']['url']); ?>
 	</td>
 	<td class="bca-table-listup__tbody-td"><?php echo $this->BcText->arrayValue($data['Permission']['auth'], [0 => '×', 1 => '〇']) ?></td>
 	<?php echo $this->BcListTable->dispatchShowRow($data) ?>
  • app/webroot/theme/admin-third/Permissions/admin/form.php+1 1 modified
    @@ -30,7 +30,7 @@
 			<th class="col-head bca-form-table__label"><?php echo $this->BcForm->label('Permission.user_group_id', __d('baser', 'ユーザーグループ')) ?></th>
 			<td class="col-input bca-form-table__input">
 				<?php $userGroups = $this->BcForm->getControlSource('user_group_id') ?>
-				<?php echo $userGroups[$this->BcForm->value('Permission.user_group_id')] ?>
+				<?php echo h($userGroups[$this->BcForm->value('Permission.user_group_id')]) ?>
 				<?php echo $this->BcForm->input('Permission.user_group_id', ['type' => 'hidden']) ?>
 			</td>
 		</tr>
  • app/webroot/theme/admin-third/Users/admin/form.php+1 1 modified
    @@ -100,7 +100,7 @@ class="helptext"><?php echo __d('baser', 'ニックネームを設定してい
 					<div id="helptextUserGroupId"
 						 class="helptext"><?php echo sprintf(__d('baser', 'ユーザーグループごとにコンテンツへのアクセス制限をかける場合などには%sより新しいグループを追加しアクセス制限の設定をおこないます。'), $this->BcBaser->getLink(__d('baser', 'ユーザーグループ管理'), ['controller' => 'user_groups', 'action' => 'index'])) ?></div>
 				<?php else: ?>
-					<?php echo $this->BcText->arrayValue($this->request->data['User']['user_group_id'], $userGroups) ?>
+					<?php echo h($this->BcText->arrayValue($this->request->data['User']['user_group_id'], $userGroups)) ?>
 					<?php echo $this->BcForm->input('User.user_group_id', ['type' => 'hidden']) ?>
 				<?php endif ?>
 			</td>
  • lib/Baser/View/Elements/admin/dblogs/index_row.php+1 1 modified
    @@ -22,7 +22,7 @@ class="bca-table-listup__tbody-td"
 		<?= Hash::get($row, 'Dblog.id') ?>
 	</td>
 	<td class="bca-table-listup__tbody-td">
-		<?= Hash::get($row, 'Dblog.name') ?>
+		<?= h(Hash::get($row, 'Dblog.name')) ?>
 	</td>
 	<td class="bca-table-listup__tbody-td">
 		<?php if ($row['Dblog']['user_id']): ?>
  • lib/Baser/View/Elements/admin/favorite_menu_row.php+1 1 modified
    @@ -18,7 +18,7 @@
 
 <li id="FavoriteRow<?php echo h($favorite['Favorite']['name']) ?>">
 	<?php $favorite['Favorite']['url'] = preg_replace('/^\/admin\//', '/' . BcUtil::getAdminPrefix() . '/', $favorite['Favorite']['url']) ?>
-	<?php $this->BcBaser->link(h($favorite['Favorite']['name']), $favorite['Favorite']['url'], ['title' => Router::url($favorite['Favorite']['url'], true)]) ?>
+	<?php $this->BcBaser->link(h($favorite['Favorite']['name']), $favorite['Favorite']['url'], ['title' => h(Router::url($favorite['Favorite']['url']), true)]) ?>
 	<?php echo $this->BcForm->input('Favorite.id.' . $favorite['Favorite']['id'], ['type' => 'hidden', 'value' => $favorite['Favorite']['id'], 'class' => 'favorite-id']) ?>
 	<?php echo $this->BcForm->input('Favorite.name.' . $favorite['Favorite']['id'], ['type' => 'hidden', 'value' => $favorite['Favorite']['name'], 'class' => 'favorite-name']) ?>
 	<?php echo $this->BcForm->input('Favorite.url.' . $favorite['Favorite']['id'], ['type' => 'hidden', 'value' => $favorite['Favorite']['url'], 'class' => 'favorite-url']) ?>
  • lib/Baser/View/Elements/admin/permissions/index_row.php+1 1 modified
    @@ -43,7 +43,7 @@ class="sort-handle"><?php $this->BcBaser->img('admin/sort.png', ['alt' => __d('b
 	<td style="width:55%">
 		<?php $this->BcBaser->link($data['Permission']['name'], ['action' => 'edit', $this->request->params['pass'][0], $data['Permission']['id']], ['escape' => true]); ?>
 		<br/>
-		<?php echo $data['Permission']['url']; ?>
+		<?php echo h($data['Permission']['url']); ?>
 	</td>
 	<td style="width:10%"
 		class="align-center"><?php echo $this->BcText->arrayValue($data['Permission']['auth'], [0 => '×', 1 => '○']) ?></td>
  • lib/Baser/View/Permissions/admin/form.php+1 1 modified
    @@ -30,7 +30,7 @@
 			<th class="col-head"><?php echo $this->BcForm->label('Permission.user_group_id', __d('baser', 'ユーザーグループ')) ?></th>
 			<td class="col-input">
 				<?php $userGroups = $this->BcForm->getControlSource('user_group_id') ?>
-				<?php echo $userGroups[$this->BcForm->value('Permission.user_group_id')] ?>
+				<?php echo h($userGroups[$this->BcForm->value('Permission.user_group_id')]) ?>
 				<?php echo $this->BcForm->input('Permission.user_group_id', ['type' => 'hidden']) ?>
 			</td>
 		</tr>
  • lib/Baser/View/Users/admin/form.php+1 1 modified
    @@ -99,7 +99,7 @@ class="helptext"><?php echo __d('baser', 'ニックネームを設定してい
 					<div id="helptextUserGroupId"
 						 class="helptext"> <?php echo sprintf(__d('baser', 'ユーザーグループごとにコンテンツへのアクセス制限をかける場合などには%sより新しいグループを追加しアクセス制限の設定をおこないます。'), $this->BcBaser->getLink(__d('baser', 'ユーザーグループ管理'), ['controller' => 'user_groups', 'action' => 'index'])) ?></div>
 				<?php else: ?>
-					<?php echo $this->BcText->arrayValue($this->request->data['User']['user_group_id'], $userGroups) ?>
+					<?php echo h($this->BcText->arrayValue($this->request->data['User']['user_group_id'], $userGroups)) ?>
 					<?php echo $this->BcForm->input('User.user_group_id', ['type' => 'hidden']) ?>
 				<?php endif ?>
 			</td>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.