CVE-2023-28851: 
PHP vulnerability analysis and mitigation

CVE-2023-28851 affects Silverstripe Form Capture, a package that provides functionality to capture simple silverstripe forms and an admin interface for users. The vulnerability was discovered in version 0.2.0 and affected versions up to 1.0.1, 2.0.0-2.2.4, and 3.0.0-3.1.0. The issue involves improper escaping when presenting stored form submissions, which could lead to Cross-Site Scripting attacks (GitHub Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page). It received a CVSS v3.1 base score of 5.4 (Medium) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while GitHub assessed it at 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows attackers to perform stored Cross-Site Scripting (XSS) attacks through improperly escaped form submissions. This could potentially lead to unauthorized access to sensitive information and manipulation of web content (GitHub Advisory).

The vulnerability was initially patched in version 1.0.2 and version 1.1.0. After being accidentally reintroduced during a merge error, it was re-patched in versions 2.2.5 and 3.1.1. There are no known workarounds for this vulnerability, and users are advised to upgrade to the patched versions (GitHub Advisory).