CVE-2020-15277

Name of the Vulnerable Software and Affected Versions baserCMS versions 4.0.0 through 4.4.0

Description The issue allows for Remote Code Execution (RCE) by uploading an executable script file, such as a PHP file, after logging in as a system administrator. The Edit template component is vulnerable. This can also lead to Cross-Site Scripting (XSS) via arbitrary script execution. The attack vector requires an administrator to be logged in.

Recommendations For versions 4.0.0 through 4.4.0, update to version 4.4.1 to resolve the issue. As a temporary workaround, consider restricting access to the Edit template component until the update is applied.