baserCMS Cross-site Scripting vulnerability in Site search Feature
Description
baserCMS is a website development framework. Prior to version 5.0.9, there is a cross-site scripting vulnerability in the site search feature. Version 5.0.9 contains a fix for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
baserCMS prior to 5.0.9 has a reflected cross-site scripting vulnerability in the site search feature.
Vulnerability
Overview
CVE-2023-44379 is a cross-site scripting (XSS) vulnerability present in the site search feature of baserCMS, a PHP-based website development framework. The root cause is that the search functionality does not properly escape user-supplied input before reflecting it in the page output. Specifically, the theme template files site_search_form.php or search.php use 'escape' => false in form control helpers, disabling output escaping [1][2].
Exploitation
Requirements
To exploit this vulnerability, an attacker must convince a user who has access to the management screen to interact with a crafted link or form. The vulnerability only applies when the management screen is made available to an unspecified number of users, such as in a multi-tenant or shared administration environment [2]. No authentication is required from the target user beyond being logged into the management interface.
Impact
Successful exploitation allows an attacker to inject arbitrary JavaScript or HTML into the vulnerable page, enabling actions such as session hijacking, content manipulation, or credential theft within the context of the affected user's session. The CVSS v3.1 score is not yet assigned, but the severity is moderate given the prerequisite of user interaction and the potential for sensitive data exposure.
Mitigation
Users should update to baserCMS 5.0.9, which includes a fix for this issue. Alternatively, administrators can manually remove the 'escape' => false option from the form control calls in their theme files, as detailed in the vendor advisory [2]. Users of the older baserCMS 4 series should consult separate guidance for mitigation. The vulnerability has been disclosed through JVN#73283159, and multiple researchers are credited for their reports [2][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
baserproject/basercmsPackagist | < 5.0.9 | 5.0.9 |
Affected products
2- baserproject/basercmsv5Range: < 5.0.9
Patches
118549396e5a9Merge pull request from GHSA-66c2-p8rh-qx87
2 files changed · +2 −2
plugins/BcColumn/templates/element/site_search_form.php+1 −1 modified@@ -16,7 +16,7 @@ <div class="section search-box"> <?php echo $this->BcForm->create($searchIndexesFront, array('type' => 'get', 'url' => $url)) ?> - <?php echo $this->BcForm->control('q', ['escape' => false]) ?> + <?php echo $this->BcForm->control('q') ?> <?php echo $this->BcForm->hidden('site_id', ['value' => $this->getRequest()->getAttribute('currentSite')->id]) ?> <?php echo $this->BcForm->submit('検索', array('div' => false, 'class' => 'submit_button bs-button')) ?> <?php echo $this->BcForm->end() ?>
plugins/bc-front/templates/plugin/BcSearchIndex/SearchIndexes/search.php+1 −1 modified@@ -32,7 +32,7 @@ <?php if ($contentFolders): ?> <?php echo $this->BcBaser->formControl('f', ['type' => 'select', 'options' => $contentFolders, 'empty' => __d('baser_core', 'カテゴリ')]) ?> <?php endif ?> - <?php echo $this->BcBaser->formControl('q', ['placeholder' => __d('baser_core', 'キーワード'), 'escape' => false, 'div' => false]) ?> + <?php echo $this->BcBaser->formControl('q', ['placeholder' => __d('baser_core', 'キーワード'), 'div' => false]) ?> <?php echo $this->BcBaser->formHidden('s') ?> <?php echo $this->BcBaser->formSubmit(__d('baser_core', '検索'), ['div' => false, 'class' => 'bs-button-small']) ?> <?php echo $this->BcBaser->endForm() ?>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-66c2-p8rh-qx87ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-44379ghsaADVISORY
- basercms.net/security/JVN_73283159ghsax_refsource_MISCWEB
- github.com/baserproject/basercms/commit/18549396e5a9b8294306a54a876af164b0b57da4ghsax_refsource_MISCWEB
- github.com/baserproject/basercms/security/advisories/GHSA-66c2-p8rh-qx87ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.