CVE-2023-36236: 
PHP vulnerability analysis and mitigation

Cross Site Scripting (XSS) vulnerability was discovered in webkil Bagisto version 1.5.0 and earlier versions. The vulnerability allows an attacker to execute arbitrary code through a crafted SVG file upload functionality (NVD, GitHub Exploit). The vulnerability was assigned CVE-2023-36236 and was disclosed in January 2024.

The vulnerability exists in the admin interface of Bagisto, specifically in the velocity/meta-data endpoint. The issue stems from insufficient validation of SVG file uploads, which allows attackers to inject malicious scripts within SVG files. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

When successfully exploited, the vulnerability allows attackers to execute arbitrary code in the context of other users' sessions, potentially leading to the theft of user cookies and session information. This could result in unauthorized access to user accounts and sensitive information (GitHub Exploit).

The vulnerability has been patched in Bagisto version 1.5.1. The fix includes enhanced SVG sanitization implemented through a dedicated sanitizer class, as evidenced in the patch commit. Users are advised to upgrade to version 1.5.1 or later to address this security issue (GitHub Patch).