SB2020102978 - Multiple vulnerabilities in baserCMS

Description

This security bulletin contains information about 3 vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2020-15276)

The vulnerability allows a remote attacker to execute arbitrary script code in the victim's browser.

The vulnerability exists due to cross-site scripting in blog comment posting when handling user-supplied comment content. A remote attacker can submit a specially crafted comment to execute arbitrary script code in the victim's browser.

2) Cross-site scripting (CVE-ID: CVE-2020-15277)

The vulnerability allows a remote user to execute arbitrary script code.

The vulnerability exists due to improper neutralization of input during web page generation in the edit template feature when editing templates. A remote user can inject a specially crafted script into a template to execute arbitrary script code.

Exploitation requires an administrator to be logged in.

3) Cross-site scripting (CVE-ID: CVE-2020-15273)

The vulnerability allows a remote user to execute arbitrary script code.

The vulnerability exists due to cross-site scripting in edit feed settings, edit widget area, sub site new registration, and new category registration when handling crafted input. A remote user can submit specially crafted input to execute arbitrary script code.

Exploitation requires an administrator to be logged in.

Remediation

Install update from vendor's website.

References

• https://github.com/baserproject/basercms/security/advisories/GHSA-fw5q-j9p4-3vxg
• https://github.com/advisories/GHSA-fw5q-j9p4-3vxg
• https://github.com/baserproject/basercms/security/advisories/GHSA-6fmv-q269-55cw
• https://github.com/baserproject/basercms/security/advisories/GHSA-wpww-4jf4-4hx8
• https://github.com/advisories/GHSA-wpww-4jf4-4hx8