CVE-2020-15159

moderate-risk
Published 2020-08-28

baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) and Remote Code Execution (RCE). This may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file.The affected components are ThemeFilesController.php and UploaderFilesController.php. This is fixed in version 4.3.7.

Do I need to act?

~
1.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.6/10 High
NETWORK / HIGH complexity

Affected Products (1)

Affected Vendors

Basercms

References (6)

Vendor Advisory https://basercms.net/security/20200827
Patch https://github.com/baserproject/basercms/commit/16a7b3cd09a0ca355474119c76897eac...
Patch https://github.com/baserproject/basercms/security/advisories/GHSA-673x-f5wx-fxpw
Vendor Advisory https://basercms.net/security/20200827
Patch https://github.com/baserproject/basercms/commit/16a7b3cd09a0ca355474119c76897eac...
Patch https://github.com/baserproject/basercms/security/advisories/GHSA-673x-f5wx-fxpw
32
/ 100
moderate-risk
Severity 23/34 · High
Exploitability 4/34 · Minimal
Exposure 5/34 · Minimal