CVE-2021-46875: 
PHP vulnerability analysis and mitigation

An XSS vulnerability (CVE-2021-46875) was discovered in eZ Platform Ibexa Kernel versions before 1.3.1.1. The vulnerability allows attackers to perform cross-site scripting attacks by uploading JavaScript code within .html or .js files. The issue affects multiple versions including eZ Platform Kernel 1.2.0-1.2.5.1, 1.3.0-1.3.1.1, 6.13.0-6.13.8.2, and 7.5.0-7.5.15.2 (NVD, MITRE).

The vulnerability has a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue stems from insufficient file type validation in the file upload functionality, which allows malicious users to upload files containing JavaScript code that can be executed when accessed. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this vulnerability allows attackers to perform cross-site scripting (XSS) attacks by uploading malicious HTML or JavaScript files. When victims access links to these uploaded files, the embedded XSS exploits are executed in their browsers, potentially leading to unauthorized access to user data or session information (GitHub Advisory).

The vulnerability has been patched in versions 6.13.8.2, 7.5.15.2, 1.2.5.1, and 1.3.1.1. The fix involves adding common types of scriptable file types to the configuration of the existing filetype blacklist feature. Organizations can also manually implement the fix by updating the 'ezsettings.default.io.filestorage.filetype_blacklist' configuration without upgrading to the patched versions. However, administrators should carefully consider which file types to blacklist based on their specific needs (GitHub Advisory).