6.1

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2023-43647

GHSA ID

GHSA-ggj4-78rm-6xgv

EPSS Score

0.6773%

CWE

CWE-79

Published

10/26/2023

Updated

11/9/2023

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-43647

CVE-2023-43647: baserCMS Cross-site Scripting vulnerability in File upload Feature

There is a XSS Vulnerability in File upload Feature to baserCMS.

This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. If you are eligible, please update to the new version as soon as possible.

Target

baserCMS 4.7.8 and earlier versions

Vulnerability

Malicious code may be executed in File upload Feature.

Countermeasures

Update to the latest version of baserCMS

Please refer to the following page to reference for more information. https://basercms.net/security/JVN_45547161

Credits

Shiga Takuma@BroadBand Security, Inc

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-43647

CVE-2023-43647:

6.1

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2023-43647

GHSA ID

GHSA-ggj4-78rm-6xgv

EPSS Score

0.6773%

CWE

CWE-79

Published

10/26/2023

Updated

11/9/2023

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
baserproject/basercms	composer	< 4.8.0	4.8.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient output encoding in multiple locations. Key evidence includes:

In BcUploadHelper::fileLink, the unescaped mb_basename($value) in figcaption was patched with h(), indicating direct XSS risk.
In MaildataHelper::toDisplayString, the getLink() call lacked escape=true parameter, patched to enforce escaping.
Template files showed unescaped $listId/$id in HTML contexts (span IDs and JS URLs), though these are template-level issues rather than discrete functions. The most clearly identifiable vulnerable functions are the helper methods where escaping was explicitly added in patches.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-43647: baserCMS Cross-site Scripting vulnerability in File upload Feature

Target

Vulnerability

Countermeasures

Credits

CVE-2023-43647:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

CVE-2023-43647: baserCMS Cross-site Scripting vulnerability in File upload Feature

Target

Vulnerability

Countermeasures

Credits

6.1

6.1

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI