CVE-2023-43792
published 2023-10-30CVE-2023-43792: baserCMS is a website development framework. In versions 4.6.0 through 4.7.6, there is a Code Injection vulnerability in the mail form of baserCMS. As of time…
PriorityP353critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.57%
43.0th percentile
baserCMS is a website development framework. In versions 4.6.0 through 4.7.6, there is a Code Injection vulnerability in the mail form of baserCMS. As of time of publication, no known patched versions are available.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| basercms | basercms | 4.6.0 – 4.7.6 | — |
| baserproject | basercms | — | — |
| baserproject | basercms | 4.6.0 – 4.7.6 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Liferay Portal has External Control of System or Configuration Settings
ghsa·2025-09-15
CVE-2025-43792 [LOW] CWE-15 Liferay Portal has External Control of System or Configuration Settings
Liferay Portal has External Control of System or Configuration Settings
Remote staging in Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not properly obtain the remote address of the live site from the database which, which allows remote authenticated users to exfiltrate data to an attacker controlled server (i.e., a fake “live site”) via the _com_liferay_exportimport_web_portlet_ExportImportPortlet_remoteAddress and _com_liferay_exportimport_web_portlet_ExportImportPortlet_remotePort parameters. To successfully exploit this vulnerability, an attacker must also successfully obtain the staging server’s shared secret and add
GHSA
baserCMS Code Injection Vulnerability in Mail Form Feature
ghsa·2023-10-26
CVE-2023-43792 [MEDIUM] CWE-94 baserCMS Code Injection Vulnerability in Mail Form Feature
baserCMS Code Injection Vulnerability in Mail Form Feature
There is a Code Injection Vulnerability in Mail Form to baserCMS.
### Target
baserCMS 4.7.6 and earlier versions
### Vulnerability
Malicious code may be executed in Mail Form Feature.
### Countermeasures
Update to the latest version of baserCMS
Please refer to the following page to reference for more information.
https://basercms.net/security/JVN_45547161
### Credits
Shiga Takuma@BroadBand Security, Inc
OSV
baserCMS Code Injection Vulnerability in Mail Form Feature
osv·2023-10-26
CVE-2023-43792 [MEDIUM] baserCMS Code Injection Vulnerability in Mail Form Feature
baserCMS Code Injection Vulnerability in Mail Form Feature
There is a Code Injection Vulnerability in Mail Form to baserCMS.
### Target
baserCMS 4.7.6 and earlier versions
### Vulnerability
Malicious code may be executed in Mail Form Feature.
### Countermeasures
Update to the latest version of baserCMS
Please refer to the following page to reference for more information.
https://basercms.net/security/JVN_45547161
### Credits
Shiga Takuma@BroadBand Security, Inc
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-10-30
Published