CVE-2020-15273

Name of the Vulnerable Software and Affected Versions baserCMS versions 4.0.0 through 4.4.0

Description The issue affects several components, including Edit feed settings, Edit widget area, Sub site new registration, and New category registration. It allows arbitrary JavaScript execution by entering specific characters in certain areas, such as the account that can access the file upload function, category list, subsite setting list, widget area edit, and feed list on the management screen. The attack vector requires an administrator to be logged in. The issue was introduced in version 4.0.0 and is fixed in version 4.4.1.

Recommendations For versions 4.0.0 through 4.4.0, update to version 4.4.1 to resolve the issue. As a temporary workaround, consider restricting access to the affected components, such as Edit feed settings, Edit widget area, Sub site new registration, and New category registration, until the update is applied.