EUVD-2025-209130
GHSA-hv78-cwp4-8r7r
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
4Tags
Description
baserCMS is a website development framework. Prior to version 5.2.3, the application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using require_once without validating or restricting the filename. An attacker can craft a malicious PHP file within the zip and achieve arbitrary code execution when it is included. This issue has been patched in version 5.2.3.
Analysis
Arbitrary code execution in baserCMS versions before 5.2.3 allows authenticated administrators to achieve remote code execution via malicious PHP files embedded in backup restore archives. The vulnerability exploits unsafe file inclusion during ZIP extraction in the restore function, where uploaded PHP files are executed via require_once without filename validation. No public exploit identified at time of analysis, though EPSS score of 0.00043 (0.043%) and CVSS 8.7 indicate moderate theoretical risk mitigated by high privilege requirements (PR:H).
Technical Context
baserCMS is an open-source PHP-based content management system and website development framework. The vulnerability stems from a CWE-434 (Unrestricted Upload of File with Dangerous Type) weakness in the backup restoration functionality. When administrators upload ZIP archives through the restore feature, the application automatically extracts the contents and includes PHP files using require_once without implementing proper file type validation, path sanitization, or filename restrictions. This unsafe file handling pattern allows arbitrary PHP code within the archive to execute in the application context with full privileges. The affected product CPE (cpe:2.3:a:baserproject:basercms) covers all versions prior to 5.2.3, as confirmed by the GitHub security advisory GHSA-hv78-cwp4-8r7r and the vendor's security bulletin JVN_20837860.
Affected Products
baserCMS versions prior to 5.2.3 are affected by this vulnerability, as identified by CPE cpe:2.3:a:baserproject:basercms:*:*:*:*:*:*:*:*. The baserCMS project is maintained by baserproject and provides a PHP-based website development framework and content management system. The vulnerability was disclosed through GitHub Security Advisory GHSA-hv78-cwp4-8r7r and Japan Vulnerability Notes bulletin JVN_20837860 at https://basercms.net/security/JVN_20837860. All installations running versions below 5.2.3 should be considered vulnerable, particularly those with multiple administrator accounts or exposing administrative interfaces to untrusted networks.
Remediation
Upgrade immediately to baserCMS version 5.2.3 or later, which includes patches addressing the unsafe file inclusion vulnerability in the restore function. The patched release is available at https://github.com/baserproject/basercms/releases/tag/5.2.3 and includes validation controls preventing arbitrary PHP execution during ZIP extraction. Organizations unable to upgrade immediately should implement compensating controls including restricting restore functionality to super-administrators only, implementing file upload scanning with antivirus/malware detection, monitoring restore operations through security information and event management systems, and auditing all ZIP archives before restoration. Review administrator access logs for suspicious restore operations and consider temporarily disabling the restore feature if not operationally required. Consult the official security advisory at https://github.com/baserproject/basercms/security/advisories/GHSA-hv78-cwp4-8r7r for additional vendor guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today