CVE-2022-30429: 
PHP vulnerability analysis and mitigation

Multiple cross-site scripting (XSS) vulnerabilities were discovered in Neos CMS, affecting versions from 3.3 through 8.0.1. The vulnerability, identified as CVE-2022-30429, allows attackers with editor role privileges or higher to inject arbitrary script or HTML code through multiple attack vectors including the editor function, asset deletion, and workspace title manipulation (Neos Blog, NVD).

The vulnerability stems from the notification module's improper handling of HTML content from the server. Specifically, the module unescapes HTML in flash messages, leading to XSS vulnerabilities when processing various entity names and labels, such as workspace titles or media titles. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated users with editor privileges to inject and execute arbitrary script or HTML code in the context of other users' browsers. This could potentially lead to unauthorized access to sensitive information, session hijacking, or other malicious actions within the scope of the affected user's session (NVD).

The vulnerability has been patched in multiple versions: 5.3.10, 7.0.9, 7.1.7, 7.2.6, 7.3.4, and 8.0.2. Users are strongly advised to update to the nearest fixed version. The Neos team particularly emphasizes that version 5.3 is the last supported version for security fixes, and users on earlier versions should update immediately (Neos Blog).