CVE-2018-18942

Name of the Vulnerable Software and Affected Versions baserCMS versions prior to 4.1.4

Description The issue allows remote attackers to execute arbitrary PHP code. This is achieved via the admin/theme configs/form data, specifically through the ThemeConfig][logo parameter in the libBaserModelThemeConfig.php file.

Recommendations For versions prior to 4.1.4, update to version 4.1.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the libBaserModelThemeConfig.php file or disabling the logo parameter in the admin/theme configs/form data until a patch is applied.