CVE-2023-25365: 
PHP vulnerability analysis and mitigation

Cross Site Scripting (XSS) vulnerability was discovered in October CMS version 3.2.0, which allows local attackers to execute arbitrary code via the file type .mp3. The vulnerability was discovered by researchers cupc4k3 and Gabriel V. Mendes and was disclosed on February 8, 2024 (Medium Blog).

The vulnerability exists in the file upload functionality of October CMS. While the application implements file extension filtering to block potentially dangerous file types, the security mechanism can be bypassed. An attacker can upload an HTML file containing malicious script by changing the file extension to .mp3, which is an allowed file type. The uploaded file remains hidden in the system but can be accessed and executed, leading to successful cross-site scripting attacks. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

When successfully exploited, this vulnerability allows attackers to execute arbitrary code through cross-site scripting, potentially leading to high impacts on confidentiality, integrity, and availability of the system. The vulnerability has been classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD).