cvelistv5 - cve-2020-15154

CVE-2020-15154 (GCVE-0-2020-15154)

Vulnerability from cvelistv5 – Published: 2020-08-28 21:10 – Updated: 2024-08-04 13:08

Summary

baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) via arbitrary script execution. Admin access is required to exploit this vulnerability. The affected components are: content_fields.php, content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js. The issue is fixed in version 4.3.7.

Severity ?

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

CWE

CWE-79 - {"CWE-79":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}

Assigner

GitHub_M

References

URL

Tags

	https://github.com/baserproject/basercms/security…	x_refsource_CONFIRM
	https://basercms.net/security/20200827	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	baserproject	basercms	Affected: unspecified , < < 4.3.7 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:08:22.291Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-cpxc-67rc-c775"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://basercms.net/security/20200827"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "basercms",
          "vendor": "baserproject",
          "versions": [
            {
              "lessThan": "\u003c 4.3.7",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) via arbitrary script execution. Admin access is required to exploit this vulnerability. The affected components are: content_fields.php, content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js. The issue is fixed in version 4.3.7."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-08-28T21:10:14",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-cpxc-67rc-c775"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://basercms.net/security/20200827"
        }
      ],
      "source": {
        "advisory": "GHSA-cpxc-67rc-c775",
        "discovery": "UNKNOWN"
      },
      "title": "Cross Site Scripting in baserCMS",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-15154",
          "STATE": "PUBLIC",
          "TITLE": "Cross Site Scripting in baserCMS"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "basercms",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "\u003c 4.3.7"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "baserproject"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) via arbitrary script execution. Admin access is required to exploit this vulnerability. The affected components are: content_fields.php, content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js. The issue is fixed in version 4.3.7."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/baserproject/basercms/security/advisories/GHSA-cpxc-67rc-c775",
              "refsource": "CONFIRM",
              "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-cpxc-67rc-c775"
            },
            {
              "name": "https://basercms.net/security/20200827",
              "refsource": "MISC",
              "url": "https://basercms.net/security/20200827"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-cpxc-67rc-c775",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2020-15154",
    "datePublished": "2020-08-28T21:10:14",
    "dateReserved": "2020-06-25T00:00:00",
    "dateUpdated": "2024-08-04T13:08:22.291Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:basercms:basercms:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"4.3.6\", \"matchCriteriaId\": \"3D8C0605-796C-4AA8-ACD8-1444D95A121B\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) via arbitrary script execution. Admin access is required to exploit this vulnerability. The affected components are: content_fields.php, content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js. The issue is fixed in version 4.3.7.\"}, {\"lang\": \"es\", \"value\": \"baserCMS versiones 4.3.6 y anteriores, esta afectado por una vulnerabilidad de tipo Cross Site Scripting (XSS) por medio de la ejecuci\\u00f3n de un script arbitrario. Se requiere acceso de administrador para explotar esta vulnerabilidad. Los componentes afectados son: los archivos content_fields.php, content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js. El problema es corregido en la versi\\u00f3n 4.3.7\"}]",
      "id": "CVE-2020-15154",
      "lastModified": "2024-11-21T05:04:57.557",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N\", \"baseScore\": 7.3, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.0, \"impactScore\": 5.8}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N\", \"baseScore\": 7.3, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.0, \"impactScore\": 5.8}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:H/Au:S/C:N/I:P/A:N\", \"baseScore\": 2.1, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"HIGH\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 3.9, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2020-08-28T21:15:11.917",
      "references": "[{\"url\": \"https://basercms.net/security/20200827\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/baserproject/basercms/security/advisories/GHSA-cpxc-67rc-c775\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://basercms.net/security/20200827\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/baserproject/basercms/security/advisories/GHSA-cpxc-67rc-c775\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-15154\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-08-28T21:15:11.917\",\"lastModified\":\"2024-11-21T05:04:57.557\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) via arbitrary script execution. Admin access is required to exploit this vulnerability. The affected components are: content_fields.php, content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js. The issue is fixed in version 4.3.7.\"},{\"lang\":\"es\",\"value\":\"baserCMS versiones 4.3.6 y anteriores, esta afectado por una vulnerabilidad de tipo Cross Site Scripting (XSS) por medio de la ejecuci\u00f3n de un script arbitrario. Se requiere acceso de administrador para explotar esta vulnerabilidad. Los componentes afectados son: los archivos content_fields.php, content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js. El problema es corregido en la versi\u00f3n 4.3.7\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.0,\"impactScore\":5.8},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.0,\"impactScore\":5.8}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:S/C:N/I:P/A:N\",\"baseScore\":2.1,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:basercms:basercms:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"4.3.6\",\"matchCriteriaId\":\"3D8C0605-796C-4AA8-ACD8-1444D95A121B\"}]}]}],\"references\":[{\"url\":\"https://basercms.net/security/20200827\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/baserproject/basercms/security/advisories/GHSA-cpxc-67rc-c775\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://basercms.net/security/20200827\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/baserproject/basercms/security/advisories/GHSA-cpxc-67rc-c775\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
  }
}

GHSA-CPXC-67RC-C775

Vulnerability from github – Published: 2020-08-28 20:48 – Updated: 2021-01-07 23:39

Summary

Cross Site Scripting in baserCMS

Details

baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS).

Impact: XSS via Arbitrary script execution.
Attack vector is: Administrator must be logged in.
Components are: content_fields.php, content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js
Tested baserCMS Version : 4.3.6 (Latest)
Affected baserCMS Version : 4.0.0 ~ 4.3.6
Patches : https://basercms.net/security/20200827

Found by Aquilao Null

Severity ?

7.3 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.3.6"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "baserproject/basercms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15154"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-28T20:47:58Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS).\n\n* Impact: XSS via Arbitrary script execution.\n* Attack vector is: Administrator must be logged in.\n* Components are: content_fields.php, content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js\n* Tested baserCMS Version : 4.3.6 (Latest)\n* Affected baserCMS Version : 4.0.0 ~ 4.3.6\n* Patches : https://basercms.net/security/20200827\n\nFound by Aquilao Null",
  "id": "GHSA-cpxc-67rc-c775",
  "modified": "2021-01-07T23:39:30Z",
  "published": "2020-08-28T20:48:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-cpxc-67rc-c775"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15154"
    },
    {
      "type": "WEB",
      "url": "https://github.com/baserproject/basercms/commit/7f4b905b90954e394ec10dd35bad2a5dec505371"
    },
    {
      "type": "WEB",
      "url": "https://basercms.net/security/20200827"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross Site Scripting in baserCMS"
}

FKIE_CVE-2020-15154

Vulnerability from fkie_nvd - Published: 2020-08-28 21:15 - Updated: 2024-11-21 05:04

Severity ?

7.3 (High) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
7.3 (High) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://basercms.net/security/20200827	Patch, Vendor Advisory
security-advisories@github.com	https://github.com/baserproject/basercms/security/advisories/GHSA-cpxc-67rc-c775	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://basercms.net/security/20200827	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/baserproject/basercms/security/advisories/GHSA-cpxc-67rc-c775	Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	basercms	basercms	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:basercms:basercms:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3D8C0605-796C-4AA8-ACD8-1444D95A121B",
              "versionEndIncluding": "4.3.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) via arbitrary script execution. Admin access is required to exploit this vulnerability. The affected components are: content_fields.php, content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js. The issue is fixed in version 4.3.7."
    },
    {
      "lang": "es",
      "value": "baserCMS versiones 4.3.6 y anteriores, esta afectado por una vulnerabilidad de tipo Cross Site Scripting (XSS) por medio de la ejecuci\u00f3n de un script arbitrario. Se requiere acceso de administrador para explotar esta vulnerabilidad. Los componentes afectados son: los archivos content_fields.php, content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js. El problema es corregido en la versi\u00f3n 4.3.7"
    }
  ],
  "id": "CVE-2020-15154",
  "lastModified": "2024-11-21T05:04:57.557",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 2.1,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 5.8,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 5.8,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-08-28T21:15:11.917",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://basercms.net/security/20200827"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-cpxc-67rc-c775"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://basercms.net/security/20200827"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-cpxc-67rc-c775"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2020-15154

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2020-15154

Aliases

CVE-2020-15154

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2020-15154",
    "description": "baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) via arbitrary script execution. Admin access is required to exploit this vulnerability. The affected components are: content_fields.php, content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js. The issue is fixed in version 4.3.7.",
    "id": "GSD-2020-15154"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-15154"
      ],
      "details": "baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) via arbitrary script execution. Admin access is required to exploit this vulnerability. The affected components are: content_fields.php, content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js. The issue is fixed in version 4.3.7.",
      "id": "GSD-2020-15154",
      "modified": "2023-12-13T01:21:43.637413Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-15154",
        "STATE": "PUBLIC",
        "TITLE": "Cross Site Scripting in baserCMS"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "basercms",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_value": "\u003c 4.3.7"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "baserproject"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) via arbitrary script execution. Admin access is required to exploit this vulnerability. The affected components are: content_fields.php, content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js. The issue is fixed in version 4.3.7."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/baserproject/basercms/security/advisories/GHSA-cpxc-67rc-c775",
            "refsource": "CONFIRM",
            "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-cpxc-67rc-c775"
          },
          {
            "name": "https://basercms.net/security/20200827",
            "refsource": "MISC",
            "url": "https://basercms.net/security/20200827"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-cpxc-67rc-c775",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c=4.3.6",
          "affected_versions": "All versions up to 4.3.6",
          "cvss_v2": "AV:N/AC:H/Au:S/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2020-09-03",
          "description": "baserCMS `content_info.php`, `content_options.php`, `content_related.php`, `index_list_tree.php`, `jquery.bcTree.js`.",
          "fixed_versions": [
            "4.3.7"
          ],
          "identifier": "CVE-2020-15154",
          "identifiers": [
            "CVE-2020-15154",
            "GHSA-cpxc-67rc-c775"
          ],
          "not_impacted": "All versions after 4.3.6",
          "package_slug": "packagist/baserproject/basercms",
          "pubdate": "2020-08-28",
          "solution": "Upgrade to version 4.3.7 or above.",
          "title": "Cross-site Scripting",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-15154",
            "https://basercms.net/security/20200827"
          ],
          "uuid": "d4afdfd0-95dc-42c1-b316-e0f0b74bc649"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:basercms:basercms:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "4.3.6",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-15154"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "baserCMS 4.3.6 and earlier is affected by Cross Site Scripting (XSS) via arbitrary script execution. Admin access is required to exploit this vulnerability. The affected components are: content_fields.php, content_info.php, content_options.php, content_related.php, index_list_tree.php, jquery.bcTree.js. The issue is fixed in version 4.3.7."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://basercms.net/security/20200827",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://basercms.net/security/20200827"
            },
            {
              "name": "https://github.com/baserproject/basercms/security/advisories/GHSA-cpxc-67rc-c775",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/baserproject/basercms/security/advisories/GHSA-cpxc-67rc-c775"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 2.1,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.0,
          "impactScore": 5.8
        }
      },
      "lastModifiedDate": "2020-09-03T18:08Z",
      "publishedDate": "2020-08-28T21:15Z"
    }
  }
}

CNVD-2020-49572

Vulnerability from cnvd - Published: 2020-08-31

Title

baserCMS跨站脚本漏洞（CNVD-2020-49572）

Description

BaserCMS是一款开源企业级内容管理系统（cms）。 baserCMS 4.3.6及更早版本中的content_fields.php、content_info.php、content_options.php、content_related.php、index_list_tree.php、jquery.bcTree.js组件存在跨站脚本漏洞。攻击者可利用该漏洞执行任意脚本。

Severity

中

Patch Name

baserCMS跨站脚本漏洞（CNVD-2020-49572）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://basercms.net/security/20200827

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-15154

Impacted products

Name
BaserCMS BaserCMS <=4.3.6

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-15154",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-15154"
    }
  },
  "description": "BaserCMS\u662f\u4e00\u6b3e\u5f00\u6e90\u4f01\u4e1a\u7ea7\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\uff08cms\uff09\u3002\n\nbaserCMS 4.3.6\u53ca\u66f4\u65e9\u7248\u672c\u4e2d\u7684content_fields.php\u3001content_info.php\u3001content_options.php\u3001content_related.php\u3001index_list_tree.php\u3001jquery.bcTree.js\u7ec4\u4ef6\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u811a\u672c\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://basercms.net/security/20200827",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-49572",
  "openTime": "2020-08-31",
  "patchDescription": "BaserCMS\u662f\u4e00\u6b3e\u5f00\u6e90\u4f01\u4e1a\u7ea7\u5185\u5bb9\u7ba1\u7406\u7cfb\u7edf\uff08cms\uff09\u3002\r\n\r\nbaserCMS 4.3.6\u53ca\u66f4\u65e9\u7248\u672c\u4e2d\u7684content_fields.php\u3001content_info.php\u3001content_options.php\u3001content_related.php\u3001index_list_tree.php\u3001jquery.bcTree.js\u7ec4\u4ef6\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u811a\u672c\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "baserCMS\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-49572\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "BaserCMS BaserCMS \u003c=4.3.6"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-15154",
  "serverity": "\u4e2d",
  "submitTime": "2020-08-31",
  "title": "baserCMS\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2020-49572\uff09"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-15154 (GCVE-0-2020-15154)

GHSA-CPXC-67RC-C775

FKIE_CVE-2020-15154

GSD-2020-15154

CNVD-2020-49572

Tags

Sightings

Nomenclature