CVE-2022-0743: 
PHP vulnerability analysis and mitigation

Cross-site Scripting (XSS) - Stored vulnerability was discovered in GitHub repository getgrav/grav prior to version 1.7.31. The vulnerability was assigned CVE-2022-0743 and was disclosed on February 28, 2022. This security issue affects the Grav content management system (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N. The issue stems from improper entity sanitization in the XSS detection mechanism. The vulnerability was specifically related to the handling of HTML entities in the Security.php file, where the regular expression for cleaning up entities was incorrectly implemented (GitHub Patch).

The vulnerability could allow an authenticated attacker to execute stored cross-site scripting attacks, potentially leading to the exposure of sensitive information and unauthorized actions in the context of other users' sessions (NVD).

The vulnerability has been fixed in Grav version 1.7.31. Users are advised to upgrade to this version or later to address the security issue. The fix involves correcting the regular expression pattern used for entity sanitization from '!(&#0+[0-9]+)!u' to '!(&#[0-9]+)!u' (GitHub Patch).