JVN#78151490: Multiple vulnerabilities in baserCMS

2017-08-25T00:00:00
ID JVN:78151490
Type jvn
Reporter Japan Vulnerability Notes
Modified 2017-08-25T00:00:00

Description

## Description

baserCMS provided by baserCMS Users Community contains multiple vulnerabilities listed below.

  • SQL injection (CWE-89) - CVE-2017-10842 CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | Base Score: 7.3
    ---|---|---
    CVSS v2 | AV:N/AC:L/Au:N/C:P/I:P/A:P | Base Score: 7.5
  • Arbitary files may be deleted - CVE-2017-10843 CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | Base Score: 7.3
    ---|---|---
    CVSS v2 | AV:N/AC:L/Au:N/C:P/I:P/A:P | Base Score: 7.5
  • Arbitary PHP code execution - CVE-2017-10844 CVSS v3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L | Base Score: 6.3
    ---|---|---
    CVSS v2 | AV:N/AC:L/Au:N/C:P/I:P/A:P | Base Score: 7.5

## Impact

  • A remote attacker may execute arbitrary SQL command to create files or obtain or alter information stored in the database. - CVE-2017-10842
  • A remote attacker may obtain or delete arbitrary files on the system. - CVE-2017-10843
  • A user may execute arbitrary PHP code on the server. - CVE-2017-10844

## Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Apply the Patch
Patches have been released. For more information, refer to "How to Apply the Patches".

## Products Affected

  • baserCMS version 3.0.14 and earlier
  • baserCMS version 4.0.5 and earlier