📄 Description (English)
baserCMS is a website development framework. Prior to version 5.2.3, the application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using require_once without validating or restricting the filename. An attacker can craft a malicious PHP file within the zip and achieve arbitrary code execution when it is included. This issue has been patched in version 5.2.3.
🤖 AI Executive Summary
baserCMS versions prior to 5.2.3 contain a critical arbitrary code execution vulnerability in the restore function that allows attackers to upload malicious PHP files within ZIP archives. The vulnerability stems from unsafe extraction and inclusion of PHP files without filename validation, enabling remote code execution with high severity (CVSS 8.7). This poses an immediate threat to Saudi organizations using baserCMS for website development and content management.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 20:19
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations in the following sectors: (1) Government agencies and municipalities using baserCMS for public-facing websites and citizen services portals; (2) Banking and financial institutions utilizing baserCMS for web applications; (3) Healthcare providers managing patient information portals; (4) Telecommunications companies (STC, Mobily, Zain) with web-based services; (5) E-commerce and retail businesses; (6) Educational institutions. The exploit availability and lack of patch create immediate risk for data breach, system compromise, and potential lateral movement to critical infrastructure.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Healthcare and Medical Services
Telecommunications
E-commerce and Retail
Education
Media and Publishing
Hospitality and Tourism
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.9
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all baserCMS installations in your environment and document their versions
2. Disable or restrict access to the restore/backup upload functionality immediately
3. Implement Web Application Firewall (WAF) rules to block ZIP file uploads to restore endpoints
4. Review access logs for suspicious restore function usage and ZIP file uploads
PATCHING GUIDANCE:
1. Upgrade to baserCMS version 5.2.3 or later immediately when available
2. If upgrade is not immediately possible, apply the following compensating controls
COMPENSATING CONTROLS (if patch unavailable):
1. Implement strict file upload validation - whitelist only .zip extensions and verify MIME type
2. Extract ZIP files to a temporary directory outside web root
3. Implement PHP execution restrictions in upload/temp directories via .htaccess or web server configuration
4. Validate and sanitize all filenames before inclusion/require operations
5. Use PHP open_basedir directive to restrict file access scope
6. Implement code review for all restore/backup functionality
DETECTION RULES:
1. Monitor for POST requests to restore/backup endpoints with .zip file uploads
2. Alert on extraction of PHP files from ZIP archives in upload directories
3. Monitor for require_once/include operations on user-controlled filenames
4. Track file creation in web-accessible directories with .php extensions
5. Monitor for unusual process execution from web server user context
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع تثبيتات baserCMS في بيئتك وتوثيق إصداراتها
2. عطّل أو قيّد الوصول إلى وظيفة الاستعادة/رفع النسخة الاحتياطية فوراً
3. طبّق قواعد جدار حماية تطبيقات الويب (WAF) لحظر رفع ملفات ZIP إلى نقاط نهاية الاستعادة
4. راجع سجلات الوصول للاستخدام المريب لوظيفة الاستعادة ورفع ملفات ZIP
إرشادات التصحيح:
1. قم بالترقية إلى baserCMS الإصدار 5.2.3 أو أحدث فوراً عند توفره
2. إذا لم يكن الترقية ممكنة فوراً، طبّق الضوابط التعويضية التالية
الضوابط التعويضية (إذا لم يكن التصحيح متاحاً):
1. طبّق التحقق الصارم من رفع الملفات - قائمة بيضاء لامتدادات .zip فقط والتحقق من نوع MIME
2. استخرج ملفات ZIP إلى دليل مؤقت خارج جذر الويب
3. طبّق قيود تنفيذ PHP في دلائل الرفع/المؤقتة عبر .htaccess أو إعدادات خادم الويب
4. تحقق من أسماء الملفات وقم بتنظيفها قبل عمليات التضمين/الطلب
5. استخدم توجيه PHP open_basedir لتقييد نطاق الوصول إلى الملفات
6. طبّق مراجعة الأكواد لجميع وظائف الاستعادة/النسخة الاحتياطية
قواعد الكشف:
1. راقب طلبات POST إلى نقاط نهاية الاستعادة برفع ملفات .zip
2. أصدر تنبيهات عند استخراج ملفات PHP من أرشيفات ZIP في دلائل الرفع
3. راقب عمليات require_once/include على أسماء ملفات يتحكم بها المستخدم
4. تتبع إنشاء الملفات في الدلائل التي يمكن الوصول إليها عبر الويب بامتدادات .php
5. راقب تنفيذ العمليات غير العادية من سياق مستخدم خادم الويب
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.12.1.1 - Segregation of duties in system development
A.14.2.1 - Secure development policy
A.14.2.5 - Secure development environment
A.12.6.1 - Management of technical vulnerabilities
A.12.2.1 - Input validation
🔵 SAMA CSF
ID.GV-1 - Organizational processes to manage cybersecurity risk
PR.DS-6 - Data is protected from unauthorized access
PR.IP-1 - System development follows secure development practices
DE.CM-8 - Vulnerability scans are performed
RS.MI-2 - Incidents are mitigated
🟡 ISO 27001:2022
A.6.2.1 - Mobile device management
A.12.2.1 - Input validation and output encoding
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development policy
A.14.2.5 - Secure development environment
🟣 PCI DSS v4.0.1
6.2 - Ensure security patches are installed
6.5.1 - Injection flaws prevention
6.5.8 - Improper access control prevention
11.2 - Vulnerability scanning
🔗 References & Sources 4
🔗
https://basercms.net/security/JVN_20837860
security-advisories@github.com
Vendor Advisory
🔗
https://github.com/baserproject/basercms/releases/tag/5.2.3
security-advisories@github.com
Release Notes
🔗
https://github.com/baserproject/basercms/security/advisories/GHSA-hv78-cwp4-8r7r
security-advisories@github.com
Exploit
Vendor Advisory
🔗
https://github.com/baserproject/basercms/security/advisories/GHSA-hv78-cwp4-8r7r
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Vendor Advisory
📦 Affected Products / CPE 1 entries
basercms:basercms