CVE-2023-25655: 
PHP vulnerability analysis and mitigation

CVE-2023-25655 affects baserCMS, a Content Management System, prior to version 4.7.5. The vulnerability was discovered and disclosed in March 2023, allowing unauthorized file uploads through the management system of baserCMS (GitHub Advisory).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and received a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue specifically affects the Upload File Management functionality in the baserCMS management system, where there were insufficient restrictions on file uploads (NVD).

The vulnerability allows malicious users to upload any type of file to the baserCMS system, which could potentially lead to remote code execution or other security compromises. This is particularly concerning when the management system is accessed by multiple users (GitHub Advisory).

The vulnerability has been patched in baserCMS version 4.7.5. Users are strongly advised to upgrade to this version or later to address the security issue. The fix includes improvements to the file upload validation process (GitHub Commits).

The vulnerability was responsibly disclosed and investigated by security researchers Taisei Inoue from GMO Cybersecurity by Ierae, Inc. and Yusuke Akagi from Mitsui Bussan Secure Directions, Inc. (GitHub Advisory).