CVE-2020-15159

Name of the Vulnerable Software and Affected Versions baserCMS versions 4.3.6 and earlier baserCMS versions 4.2.0 through 4.3.6 baserCMS versions 3.0.10 through 4.3.6

Description The issue affects baserCMS, allowing for Cross Site Scripting (XSS) and Remote Code Execution (RCE) due to arbitrary file upload. This can be executed by logging in as a system administrator and uploading an executable script file, such as a PHP file. The affected components are ThemeFilesController.php and UploaderFilesController.php.

Recommendations For versions 4.3.6 and earlier, update to version 4.3.7 to resolve the issue. For versions 4.2.0 through 4.3.6, update to version 4.3.7 to mitigate the XSS risk. For versions 3.0.10 through 4.3.6, update to version 4.3.7 to mitigate the RCE risk. As a temporary workaround, consider restricting access to the ThemeFilesController.php and UploaderFilesController.php components until a patch is applied. Avoid uploading executable script files, such as PHP files, to minimize the risk of exploitation.