CVE-2020-15273 – baserCMS versions 4.0.0 through 4.4.0 contain a... (How to Fix)

Q: What is the severity of CVE-2020-15273?

CVE-2020-15273 has a CVSS score of 7.3 (HIGH). baserCMS versions 4.0.0 through 4.4.0 contain a cross-site scripting vulnerability in management interface components. Attackers with administrative access can inject malicious JavaScript into feed settings, widget areas, sub-site registrations, and category registrations, potentially compromising other administrators' sessions. This affects all baserCMS installations with vulnerable versions and administrative users.

📋 TL;DR

baserCMS versions 4.0.0 through 4.4.0 contain a cross-site scripting vulnerability in management interface components. Attackers with administrative access can inject malicious JavaScript into feed settings, widget areas, sub-site registrations, and category registrations, potentially compromising other administrators' sessions. This affects all baserCMS installations with vulnerable versions and administrative users.

💻 Affected Systems

Products:

baserCMS

Versions: 4.0.0 through 4.4.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrative access to exploit. Affects management interface components: Edit feed settings, Edit widget area, Sub site new registration, New category registration.

📦 What is this software?

Basercms by Basercms

View all CVEs affecting Basercms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account takeover leading to complete system compromise, data theft, or website defacement through stored XSS payloads.

🟠

Likely Case

Session hijacking of administrative users, credential theft, or unauthorized administrative actions performed through injected scripts.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented, or if administrative access is strictly controlled.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrative privileges. Attack vectors involve injecting JavaScript into specific management interface fields.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.1

Vendor Advisory: https://github.com/baserproject/basercms/security/advisories/GHSA-wpww-4jf4-4hx8

Restart Required: No

Instructions:

1. Backup your baserCMS installation and database. 2. Update baserCMS to version 4.4.1 or later via Composer: 'composer require baserproject/basercms:^4.4.1'. 3. Clear application cache if applicable.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input sanitization for the affected fields in custom code.

Content Security Policy

all

Implement strict CSP headers to mitigate XSS impact.

🧯 If You Can't Patch

Restrict administrative access to trusted users only and implement multi-factor authentication.
Monitor and audit administrative actions in the affected components for suspicious input patterns.

🔍 How to Verify

Check if Vulnerable:

Check baserCMS version in administration panel or via 'composer show baserproject/basercms' command.

Check Version:

composer show baserproject/basercms | grep versions

Verify Fix Applied:

Verify version is 4.4.1 or higher and test affected components for proper input sanitization.

📡 Detection & Monitoring

Log Indicators:

Unusual administrative activity in feed settings, widget areas, or category management
JavaScript patterns in administrative input fields

Network Indicators:

Unexpected script tags in administrative interface responses

SIEM Query:

source="basercms" AND (event="admin_action" AND (field="feed_settings" OR field="widget_area" OR field="subsite" OR field="category") AND input CONTAINS "<script>")

📊 Metadata

CVE ID: CVE-2020-15273

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-79

Published: October 30, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/baserproject/basercms/commit/b70474ef9dcee6ad8826360884625dc7ca9041a1 Patch,Third Party Advisory
https://github.com/baserproject/basercms/security/advisories/GHSA-wpww-4jf4-4hx8 Patch,Third Party Advisory
https://packagist.org/packages/baserproject/basercms Third Party Advisory
https://github.com/baserproject/basercms/commit/b70474ef9dcee6ad8826360884625dc7ca9041a1 Patch,Third Party Advisory
https://github.com/baserproject/basercms/security/advisories/GHSA-wpww-4jf4-4hx8 Patch,Third Party Advisory
https://packagist.org/packages/baserproject/basercms Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15273, you might also want to check these: