baserCMS Directory Traversal vulnerability in Form submission data management Feature
Description
baserCMS is a website development framework. Prior to version 4.8.0, there is a Directory Traversal Vulnerability in the form submission data management feature of baserCMS. Version 4.8.0 contains a patch for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A directory traversal vulnerability in baserCMS before 4.8.0 allows authenticated admin users to read arbitrary files via the form attachment download feature.
Root
Cause
The directory traversal vulnerability exists in the form submission data management feature of baserCMS prior to version 4.8.0 [1][4]. The flaw resides in the admin_attachment() method of the Mail plugin, where user-supplied path components are concatenated into a file path without proper validation [3]. The vulnerable code constructs a file path as WWW_ROOT . 'files' . DS . $settings['saveDir'] . DS . $file, allowing path traversal sequences in the $file parameter to escape the intended base directory.
Attack
Vector
An attacker must be authenticated as an administrative user of the baserCMS management console [4]. From the admin interface, the attacker can access the form submission data management feature and supply a crafted filename containing ../ sequences to navigate the filesystem. No special network position or additional privileges are required beyond valid admin credentials.
Impact
Successful exploitation allows an attacker to read arbitrary files on the server within the permissions of the web application user [1][4]. This could expose sensitive information such as configuration files, source code, or other protected data stored on the server. The vulnerability does not enable code execution or data modification directly.
Mitigation
The issue is patched in baserCMS version 4.8.0 [1][3]. The fix adds a check using realpath() to resolve the absolute path and verifies that the resulting path starts with the expected base directory, rejecting any path that escapes [3]. Users should update to the latest version; no workarounds have been published.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
baserproject/basercmsPackagist | < 4.8.0 | 4.8.0 |
Affected products
2- baserproject/basercmsv5Range: < 4.8.0
Patches
17555a5cf0006Merge pull request from GHSA-hmqj-gv2m-hq55
1 file changed · +8 −1
lib/Baser/Plugin/Mail/Controller/MailMessagesController.php+8 −1 modified@@ -264,7 +264,14 @@ public function admin_attachment() unset($args[0]); $file = implode('/', $args); $settings = $this->MailMessage->Behaviors->BcUpload->BcFileUploader['MailMessage']->settings; - $filePath = WWW_ROOT . 'files' . DS . $settings['saveDir'] . DS . $file; + $basePath = realpath(WWW_ROOT . 'files' . DS . $settings['saveDir']); + $filePath = realpath($basePath . DS . $file); + + // basePath配下出ない場合は表示しない + if (strpos($filePath, $basePath) !== 0) { + $this->notFound(); + } + $ext = decodeContent(null, $file); $mineType = 'application/octet-stream'; if ($ext !== 'gif' && $ext !== 'jpg' && $ext !== 'png') {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-hmqj-gv2m-hq55ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-43648ghsaADVISORY
- basercms.net/security/JVN_81174674ghsax_refsource_MISCWEB
- github.com/baserproject/basercms/commit/7555a5cf0006755dc0223fffc2d882b50a97758bghsax_refsource_MISCWEB
- github.com/baserproject/basercms/security/advisories/GHSA-hmqj-gv2m-hq55ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.