CVE-2021-41279: 
PHP vulnerability analysis and mitigation

BaserCMS, an open source content management system with a focus on Japanese language support, was found to contain a path traversal vulnerability (CVE-2021-41279). The vulnerability was discovered in versions prior to 4.5.4 and disclosed on November 25, 2021. It affects users with upload privileges who could upload crafted zip files capable of path traversal on the host operating system (GitHub Advisory, NVD).

The vulnerability exists in the SimpleZip package used by baserCMS. The system did not properly validate zip file contents during extraction, allowing for path traversal attacks. The vulnerability received a CVSS v3.1 base score of 8.8 HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) from NVD and 7.7 HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) from GitHub (NVD).

If exploited, this vulnerability could allow authenticated users with upload privileges to perform path traversal attacks on the host operating system, potentially leading to arbitrary file writes and remote code execution (GitHub Advisory).

The vulnerability was patched in version 4.5.4 of baserCMS. The fix included stopping the use of SimpleZip and switching to ZipArchive. Users are strongly advised to update to the latest version as soon as possible (GitHub Advisory).