A short writeup for an old CVE I was credited on jointly with Orel Gispan from Sompo Digital Lab Tel Aviv. I held off on this one since the discovery context isn’t fully mine to share, but the bug itself is public so here’s what I can say.
CVE-2024-44807
Affected Versions
BurgerEditor and BurgerEditor Limited Edition (a plugin for baserCMS), v2 prior to v2.25.1. baserCMS 5.x is not affected.
| CVSS Base Score: 5.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Fixed Version
BurgerEditor v2.25.1
| Date | 2024-10-10 |
| Release notes | See vendor advisory. |
Introduction
baserCMS is a Japanese open source CMS built on top of CakePHP. It’s quite popular with small and medium-sized Japanese companies for their corporate sites. BurgerEditor is a paid block-style WYSIWYG editor plugin sold by D-Zero Co., Ltd. that bolts onto baserCMS for a nicer editing experience.
This bug was reported jointly with Orel Gispan from Sompo Digital Lab Tel Aviv. JPCERT/CC handled the coordination, and it took quite a while for the developer to publish a fix.
Bug Discovery
This is mostly redacted.
We were doing an engagement for a web app that uses baserCMS in one of its components. When fuzzing it, we discovered some funky stuff happens when you append characters after the trailing slash, and this CVE is the result of it. Btw no authentication was needed.
Specifically (but still keeping it vague), adding a specific string onto a particular URL under the plugin gives back an HTML directory listing of the upload area. Every file in that listing is then fetchable with another unauthenticated GET.
It’s a route that returns you an index that should never been enabled on production. I guess in the old times people used .htaccess for restricting these stuff, but when you’re making a plugin for a CMS, that’s not an acceptable mitigation.
For more info, read the JVN advisory.
The Exploit
Go diff v2.25.0 and v2.25.1. It’s a character in the path.
Afterthoughts
I kept this as an unpublished draft for over 2 years. Even with a clean CVE and a JVN advisory, there’s always more context around how a finding came together that I can’t put into this post. I enjoyed the collaboration at SOMPO Holdings along with Sompo Digital Lab Tel Aviv for the support, and to Orel for the joint work.
Timeline
Only the public dates are listed here.
2024-10-10 JST - Vendor releases BurgerEditor v2.25.1 2024-10-10 JST - JVN#54676967 published by JPCERT/CC 2024-10-11 JST - CVE-2024-44807 published on NVD 2026-06-01 JST - Blog post published