CVE-2022-32115: 
PHP vulnerability analysis and mitigation

An issue in the isSVG() function of Known v1.2.2+2020061101 allows attackers to execute arbitrary code via a crafted SVG file. The vulnerability was discovered in May 2022 and affects the Known PHP CMS software, a social publishing platform (Known Github, Known Website).

The vulnerability exists in the isSVG() function which performs insufficient validation of SVG files. The function only checks the file extension without performing proper content validation, as indicated by a TODO comment in the code stating 'better SVG validation would be nice'. This implementation allows malicious SVG files containing arbitrary JavaScript code to be uploaded and executed (Jitendra Blog).

The vulnerability allows attackers to execute arbitrary JavaScript code through crafted SVG files. When a user clicks on or views the malicious SVG file, the embedded JavaScript code executes in the context of the web application, potentially leading to cross-site scripting attacks and other client-side attacks (Jitendra Blog).

While no official patch was available at the time of disclosure, proper SVG file validation should be implemented to mitigate this vulnerability. This should include content validation beyond just checking the file extension, and should specifically check for and sanitize any embedded scripts or potentially malicious content within SVG files (Jitendra Blog).