CVE-2023-43792: 
PHP vulnerability analysis and mitigation

CVE-2023-43792 is a code injection vulnerability affecting baserCMS, a website development framework written in PHP. The vulnerability exists in the mail form feature of baserCMS versions 4.6.0 through 4.7.6. This security flaw was discovered and disclosed in October 2023 (Vendor Advisory, GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) by NIST NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while GitHub assigned it a CVSS v3.0 score of 5.3 (MEDIUM) with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified as CWE-94: Improper Control of Generation of Code ('Code Injection') (NVD).

A successful exploitation of this vulnerability could allow an attacker to inject arbitrary code into the baserCMS application, which could then be executed by other users of the application. This could potentially lead to unauthorized code execution, installation of malware, or theft of sensitive data (CloudSEK).

Users are advised to upgrade to baserCMS version 5.0.5 or later. For those unable to upgrade immediately, a temporary mitigation involves disabling the mail form functionality by modifying the app/Config/bootstrap.php file and changing Configure::write('Mail.enable', true) to Configure::write('Mail.enable', false) (CloudSEK).