baserCMS CSRF vulnerability in Content preview Feature
Description
baserCMS is a website development framework. Prior to version 4.8.0, there is a cross site request forgery vulnerability in the content preview feature of baserCMS. Version 4.8.0 contains a patch for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in baserCMS's content preview feature before version 4.8.0 allows attackers to execute malicious code by tricking an admin into clicking a crafted link.
Vulnerability
Overview
A cross-site request forgery (CSRF) vulnerability exists in the content preview feature of baserCMS, a website development framework, prior to version 4.8.0 [1][2]. The vulnerability allows an attacker to craft a malicious request that, when triggered by an authenticated administrator, can execute unintended actions within the preview functionality [4].
Exploitation
Details
The attack requires that the management system be used by an unspecified number of users, meaning any authenticated admin user can become a victim [4]. An attacker can deceive an admin into clicking a specially crafted link or visiting a malicious page while logged into baserCMS, thereby performing actions as the victim without their consent [2]. The specific root cause is the lack of CSRF token validation in the preview feature [2].
Impact
Successful exploitation can lead to the execution of malicious code in the context of the admin's session within the content preview feature [4]. This could allow an attacker to modify content, escalate privileges, or perform other harmful actions on the targeted baserCMS instance.
Mitigation
The vulnerability is patched in baserCMS version 4.8.0 [1]. Users running versions 4.7.8 and earlier are advised to update immediately [4]. The vendor has released a security advisory and provided a commit fixing the issue [2][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
baserproject/basercmsPackagist | < 4.8.0 | 4.8.0 |
Affected products
2- baserproject/basercmsv5Range: < 4.8.0
Patches
1874c55433feaMerge pull request from GHSA-fw9x-cqjq-7jx5
1 file changed · +0 −1
lib/Baser/Controller/Component/BcContentsComponent.php+0 −1 modified@@ -140,7 +140,6 @@ public function setupFront() if (!empty($controller->request->data['Content'])) { $controller->request->params['Content'] = $controller->request->data['Content']; $controller->Security->validatePost = false; - $controller->Security->csrfCheck = false; } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-fw9x-cqjq-7jx5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-43649ghsaADVISORY
- basercms.net/security/JVN_99052047ghsax_refsource_MISCWEB
- github.com/baserproject/basercms/commit/874c55433fead93e0be9df96fd28740f8047c8b6ghsax_refsource_MISCWEB
- github.com/baserproject/basercms/security/advisories/GHSA-fw9x-cqjq-7jx5ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.