VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 30, 2023· Updated Sep 6, 2024

baserCMS Cross-site Scripting vulnerability in File upload Feature

CVE-2023-43647

Description

baserCMS is a website development framework. Prior to version 4.8.0, there is a cross-site scripting vulnerability in the file upload feature of baserCMS. Version 4.8.0 contains a patch for this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored cross-site scripting vulnerability in baserCMS's file upload feature allows unauthenticated attackers to inject arbitrary web scripts via filenames.

Vulnerability

baserCMS prior to version 4.8.0 contains a cross-site scripting (XSS) vulnerability in its file upload feature. The root cause is insufficient output escaping of the $listId variable when rendering HTML span elements in the upload form templates. In the affected code, $listId is echoed directly into the id attribute without sanitization ([2]), enabling injection of malicious HTML or JavaScript. This occurs in multiple template files (e.g., uploader_files/form and uploader_files/index), where the span element's id attribute is built using unescaped user-supplied values.

Exploitation

An attacker can exploit this vulnerability by crafting a filename or other user-controllable input that is used as $listId during file upload. No authentication is required as the file upload feature can be accessed by unauthenticated users; however, the vulnerability is specifically noted as needing attention when the management system is used by an unspecified number of users ([4]). The attack surface is the file upload functionality exposed in the front-end, and the injected script will execute in the context of any user viewing the uploaded file listing.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of an administrator or other users who view the file upload interface. This can lead to session hijacking, defacement, or theft of sensitive data. The vulnerability is considered moderate severity and has been addressed in version 4.8.0.

Mitigation

Users are strongly recommended to upgrade to baserCMS version 4.8.0, which includes a fix that applies h() (the CakePHP escaping function) to $listId before output ([2]). No workaround is documented. The advisory explicitly targets baserCMS 4.7.8 and earlier versions ([4]).

References
  1. Merge pull request from GHSA-ggj4-78rm-6xgv · baserproject/basercms@eb59775
  2. [baserCMS4] XSS vulnerability in File upload Feature

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
baserproject/basercmsPackagist
< 4.8.04.8.0

Affected products

2

Patches

1
eb5977533d05

Merge pull request from GHSA-ggj4-78rm-6xgv

https://github.com/baserproject/basercmsゴンドーOct 26, 2023via ghsa
commit
8 files changed · +9 9
  • app/webroot/theme/admin-third/Elements/admin/uploader_files/index_list.php+2 2 modified
    @@ -36,7 +36,7 @@
 					<?php if ($uploaderCategories): ?>
 						<?php echo $this->BcForm->input('UploaderFile.uploader_category_id', ['type' => 'select', 'options' => $uploaderCategories, 'empty' => __d('baser', 'カテゴリ指定なし'), 'id' => 'UploaderFileUploaderCategoryId' . $listId, 'style' => 'width:100px']) ?>&nbsp;
 					<?php endif ?>
-					<span id="SpanUploadFile<?php echo $listId ?>">
+					<span id="SpanUploadFile<?php echo h($listId) ?>">
 			<?php echo $this->BcForm->input('UploaderFile.file', ['type' => 'file', 'id' => 'UploaderFileFile' . $listId, 'class' => 'uploader-file-file', 'div' => false]) ?>
 		</span>
 				</div>
@@ -58,7 +58,7 @@
 						<?php if ($uploaderCategories): ?>
 							<?php echo $this->BcForm->input('UploaderFile.uploader_category_id', ['type' => 'select', 'options' => $uploaderCategories, 'empty' => __d('baser', 'カテゴリ指定なし'), 'id' => 'UploaderFileUploaderCategoryId' . $listId]) ?>
 						<?php endif ?>
-						<span id="SpanUploadFile<?php echo $listId ?>">
+						<span id="SpanUploadFile<?php echo h($listId) ?>">
 					<?php echo $this->BcForm->input('UploaderFile.file', ['type' => 'file', 'id' => 'UploaderFileFile' . $listId, 'class' => 'uploader-file-file', 'div' => false]) ?>
 				</span>
 					</div>
  • app/webroot/theme/admin-third/Elements/admin/uploader_files/index_panel.php+1 1 modified
    @@ -33,7 +33,7 @@
 					<?php if ($uploaderCategories): ?>
 						<?php echo $this->BcForm->input('UploaderFile.uploader_category_id', ['type' => 'select', 'options' => $uploaderCategories, 'empty' => __d('baser', 'カテゴリ指定なし'), 'id' => 'UploaderFileUploaderCategoryId' . $listId]) ?>&nbsp;
 					<?php endif ?>
-					<span id="SpanUploadFile<?php echo $listId ?>">
+					<span id="SpanUploadFile<?php echo h($listId) ?>">
 				<?php echo $this->BcForm->input('UploaderFile.file', ['type' => 'file', 'id' => 'UploaderFileFile' . $listId, 'class' => 'uploader-file-file', 'div' => false]) ?>
 			</span>
 				</div>
  • app/webroot/theme/admin-third/FeedConfigs/admin/preview.php+1 1 modified
    @@ -15,4 +15,4 @@
  */
 ?>
 <h2><?php echo h($feedConfig['FeedConfig']['name']); ?></h2>
-<?php echo $this->BcBaser->js('/feed/ajax/' . $id) ?>
+<?php echo $this->BcBaser->js('/feed/ajax/' . h($id)) ?>
  • lib/Baser/Plugin/Feed/View/FeedConfigs/admin/preview.php+1 1 modified
    @@ -15,4 +15,4 @@
  */
 ?>
 <h2><?php $this->BcBaser->contentsTitle() ?></h2>
-<?php echo $this->BcBaser->js('/feed/ajax/' . $id) ?>
+<?php echo $this->BcBaser->js('/feed/ajax/' . h($id)) ?>
  • lib/Baser/Plugin/Mail/View/Helper/MaildataHelper.php+1 1 modified
    @@ -95,7 +95,7 @@ public function toDisplayString($type, $value, $prefixSpace = true)
 						$this->BcBaser->getImg($link, ['width' => 400]), $link, ['target' => '_blank']
 					);
 				} else {
-					$result = $this->BcBaser->getLink($file, $link);
+					$result = $this->BcBaser->getLink($file, $link, ['escape' => true]);
 				}
 				break;
  • lib/Baser/Plugin/Uploader/View/Elements/admin/uploader_files/index_list.php+1 1 modified
    @@ -33,7 +33,7 @@
 					<?php if ($uploaderCategories): ?>
 						<?php echo $this->BcForm->input('UploaderFile.uploader_category_id', ['type' => 'select', 'options' => $uploaderCategories, 'empty' => __d('baser', 'カテゴリ指定なし'), 'id' => 'UploaderFileUploaderCategoryId' . $listId, 'style' => 'width:100px']) ?>&nbsp;
 					<?php endif ?>
-					<span id="SpanUploadFile<?php echo $listId ?>">
+					<span id="SpanUploadFile<?php echo h($listId) ?>">
 			<?php echo $this->BcForm->input('UploaderFile.file', ['type' => 'file', 'id' => 'UploaderFileFile' . $listId, 'class' => 'uploader-file-file', 'div' => false]) ?>
 		</span>
 				</div>
  • lib/Baser/Plugin/Uploader/View/Elements/admin/uploader_files/index_panel.php+1 1 modified
    @@ -33,7 +33,7 @@
 				<?php if ($uploaderCategories): ?>
 					<?php echo $this->BcForm->input('UploaderFile.uploader_category_id', ['type' => 'select', 'options' => $uploaderCategories, 'empty' => __d('baser', 'カテゴリ指定なし'), 'id' => 'UploaderFileUploaderCategoryId' . $listId]) ?>&nbsp;
 				<?php endif ?>
-				<span id="SpanUploadFile<?php echo $listId ?>">
+				<span id="SpanUploadFile<?php echo h($listId) ?>">
 			<?php echo $this->BcForm->input('UploaderFile.file', ['type' => 'file', 'id' => 'UploaderFileFile' . $listId, 'class' => 'uploader-file-file', 'div' => false]) ?>
 		</span>
 			</div>
  • lib/Baser/View/Helper/BcUploadHelper.php+1 1 modified
    @@ -141,7 +141,7 @@ public function fileLink($fieldName, $options = [])
 					if (is_array($options['link'])) {
 						$linkOptions = array_merge($linkOptions, $options['link']);
 					}
-					$out = $this->Html->tag('figure', $this->Html->link(__d('baser', 'ダウンロード') . ' ≫', $filePath, $linkOptions) . '<br>' . $this->Html->tag('figcaption', mb_basename($value), $figcaptionOptions), $figureOptions);
+					$out = $this->Html->tag('figure', $this->Html->link(__d('baser', 'ダウンロード') . ' ≫', $filePath, $linkOptions) . '<br>' . $this->Html->tag('figcaption', h(mb_basename($value)), $figcaptionOptions), $figureOptions);
 				}
 			} else {
 				$out = $value;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.