baserCMS File Uploader Remote Code Execution (RCE) vulnerability
Description
baserCMS is a Content Management system. Prior to version 4.7.5, there is a Remote Code Execution (RCE) Vulnerability in the management system of baserCMS. Version 4.7.5 contains a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Remote Code Execution vulnerability in baserCMS prior to 4.7.5 due to insufficient file extension validation, allowing arbitrary code upload.
CVE-2023-25654 is a Remote Code Execution (RCE) vulnerability in the baserCMS content management system, affecting versions prior to 4.7.5. The root cause is insufficient validation of file extensions during file upload operations, allowing an attacker to upload a malicious PHP file that can be executed on the server [1][2][4].
Exploitation requires access to the management system (i.e., an authenticated administrator session, as the management interface is not publicly exposed by default). The vulnerability is triggered when an attacker uploads a file with an executable extension, such as .php, that bypasses the intended extension whitelist due to a flaw in the fileExt validation function [2][4]. The commit diff shows that the validation logic was revised to properly check file extensions for both array and string inputs, and to reverse the return condition to reject invalid extensions [4].
Successful exploitation allows an attacker to execute arbitrary PHP code on the underlying server, leading to full compromise of the web application and potentially the server. This could result in data theft, website defacement, or further internal network attacks [1][2]. The vulnerability is rated critical with a CVSS score of 9.8 (NVD) due to the high potential impact and low complexity of exploitation [1].
The baserCMS project released version 4.7.5 to patch this vulnerability. Users are advised to upgrade immediately. There are no known workarounds; the only mitigation is to apply the patch or upgrade to the latest version [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
baserproject/basercmsPackagist | < 4.7.5 | 4.7.5 |
Affected products
2- baserproject/basercmsv5Range: < 4.7.4
Patches
308247f0a633dMerge pull request from GHSA-h4cc-fxpp-pgw9
1 file changed · +14 −6
lib/Baser/Model/BcAppModel.php+14 −6 modified@@ -932,14 +932,22 @@ public function fileCheck($check, $size) public function fileExt($check, $exts) { $file = $check[key($check)]; + if (!is_array($exts)) { + $exts = explode(',', $exts); + } + + // FILES形式のチェック if (!empty($file['name'])) { - if (!is_array($exts)) { - $exts = explode(',', $exts); - } $ext = decodeContent($file['type'], $file['name']); - if (in_array($ext, $exts)) { - return true; - } else { + if (!in_array($ext, $exts)) { + return false; + } + } + + // 更新時の文字列チェック + if (!empty($file) && is_string($file)) { + $ext = pathinfo($file, PATHINFO_EXTENSION); + if (!in_array($ext, $exts)) { return false; } }
1 file changed · +1 −1
lib/Baser/Model/BcAppModel.php+1 −1 modified@@ -945,7 +945,7 @@ public function fileExt($check, $exts) } // 更新時の文字列チェック - if (is_string($file)) { + if (!empty($file) && is_string($file)) { $ext = pathinfo($file, PATHINFO_EXTENSION); if (!in_array($ext, $exts)) { return false;
1 file changed · +14 −6
lib/Baser/Model/BcAppModel.php+14 −6 modified@@ -932,14 +932,22 @@ public function fileCheck($check, $size) public function fileExt($check, $exts) { $file = $check[key($check)]; + if (!is_array($exts)) { + $exts = explode(',', $exts); + } + + // FILES形式のチェック if (!empty($file['name'])) { - if (!is_array($exts)) { - $exts = explode(',', $exts); - } $ext = decodeContent($file['type'], $file['name']); - if (in_array($ext, $exts)) { - return true; - } else { + if (!in_array($ext, $exts)) { + return false; + } + } + + // 更新時の文字列チェック + if (is_string($file)) { + $ext = pathinfo($file, PATHINFO_EXTENSION); + if (!in_array($ext, $exts)) { return false; } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-h4cc-fxpp-pgw9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-25654ghsaADVISORY
- github.com/baserproject/basercms/commit/002886be0998c74c386e04f0b43688a8a45d7a96ghsax_refsource_MISCWEB
- github.com/baserproject/basercms/commit/08247f0a633d8e836ce2e5cd2d53aa19901a1359ghsax_refsource_MISCWEB
- github.com/baserproject/basercms/commit/60f83054d8131b0ace60716cec7e629b5eb3a8f0ghsax_refsource_MISCWEB
- github.com/baserproject/basercms/releases/tag/basercms-4.7.5ghsax_refsource_MISCWEB
- github.com/baserproject/basercms/security/advisories/GHSA-h4cc-fxpp-pgw9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.