CVE-2023-36828: 
PHP vulnerability analysis and mitigation

CVE-2023-36828 affects Statamic, a flat-first, Laravel and Git powered content management system. The vulnerability was discovered in versions prior to 4.10.0, where the SVG tag failed to properly sanitize malicious SVG content, enabling potential cross-site scripting (XSS) attacks even when using the sanitize function. The issue was disclosed on July 5, 2023 (GitHub Advisory).

The vulnerability stems from inadequate sanitization of SVG files in the Svg.php component. When retrieving SVG files using File::get(), the content was not properly sanitized before being rendered, allowing potential execution of malicious scripts embedded within SVG files. The vulnerability has a CVSS v3.1 base score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

An attacker could exploit this vulnerability to perform cross-site scripting (XSS) attacks by uploading maliciously crafted SVG files. This is particularly concerning when SVG files are used in public-facing areas of a website, such as social media icons in footers, where any user can view and potentially be affected by the malicious content (GitHub Advisory).

The vulnerability was patched in Statamic version 4.10.0. The fix implements proper SVG sanitization using a dedicated sanitizer package. Users are strongly recommended to upgrade to version 4.10.0 or later. The patch also introduces a new sanitize parameter for the SVG tag, allowing explicit control over content sanitization (GitHub Release).