4.7

CVSS Score

3.0

Basic Information

CVE ID

CVE-2023-43649

GHSA ID

GHSA-fw9x-cqjq-7jx5

EPSS Score

0.29845%

CWE

CWE-352

Published

10/26/2023

Updated

11/9/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-43649

CVE-2023-43649:
baserCMS CSRF vulnerability in Content preview Feature

There is a CSRF Vulnerability in Content preview Feature to baserCMS.

This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. If you are eligible, please update to the new version as soon as possible.

Target

baserCMS 4.7.8 and earlier versions

Vulnerability

Malicious code may be executed in Content preview Feature.

Countermeasures

Update to the latest version of baserCMS

Please refer to the following page to reference for more information. https://basercms.net/security/JVN_45547161

Credits

Shiga Takuma@BroadBand Security, Inc

(GitHub Advisory)

4.7

CVSS Score

3.0

Basic Information

CVE ID

CVE-2023-43649

GHSA ID

GHSA-fw9x-cqjq-7jx5

EPSS Score

0.29845%

CWE

CWE-352

Published

10/26/2023

Updated

11/9/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
baserproject/basercms	composer	< 4.8.0	4.8.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows the removal of $controller->Security->csrfCheck = false in BcContentsComponent.php. This line explicitly disabled CSRF validation for content preview requests, creating the vulnerability. The CWE-352 (CSRF) classification and the patch's focus on re-enabling CSRF checks confirm this function's role in the exploit.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**r* is * *SR* Vuln*r**ility in *ont*nt pr*vi*w ***tur* to **s*r*MS. T*is is * vuln*r**ility t**t n***s to ** ***r*ss** w**n t** m*n***m*nt syst*m is us** *y *n unsp**i*i** num**r o* us*rs. I* you *r* *li*i*l*, pl**s* up**t* to t** n*w v*rsion *s s

Reasoning

T** *ommit *i** s*ows t** r*mov*l o* `$*ontroll*r->S**urity->*sr*****k = **ls*` in ***ont*nts*ompon*nt.p*p. T*is lin* *xpli*itly *is**l** *SR* v*li**tion *or *ont*nt pr*vi*w r*qu*sts, *r**tin* t** vuln*r**ility. T** *W*-*** (*SR*) *l*ssi*i**tion *n*

4.7

Basic Information

Concerned about an active attack path?

CVE-2023-43649: baserCMS CSRF vulnerability in Content preview Feature

Target

Vulnerability

Countermeasures

Credits

4.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-43649:
baserCMS CSRF vulnerability in Content preview Feature

Vulnerability Intelligence
Miggo AI