← Voltar para CVEs

CVE-2025-32957

HIGH

8.7

Descricao

baserCMS is a website development framework. Prior to version 5.2.3, the application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using require_once without validating or restricting the filename. An attacker can craft a malicious PHP file within the zip and achieve arbitrary code execution when it is included. This issue has been patched in version 5.2.3.

Detalhes CVE

Pontuacao CVSS v3.18.7

SeveridadeHIGH

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosHIGH

Interacao do usuarioNONE

Publicado3/31/2026

Ultima modificacao4/1/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

basercms:basercms

Fraquezas (CWE)

CWE-434

Referencias

https://basercms.net/security/JVN_20837860(security-advisories@github.com)

https://github.com/baserproject/basercms/releases/tag/5.2.3(security-advisories@github.com)

https://github.com/baserproject/basercms/security/advisories/GHSA-hv78-cwp4-8r7r(security-advisories@github.com)

https://github.com/baserproject/basercms/security/advisories/GHSA-hv78-cwp4-8r7r(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.