CVE-2023-37611: 
PHP vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in Neos CMS version 8.3.3, identified as CVE-2023-37611. The vulnerability allows a remote authenticated attacker to execute arbitrary code via a crafted SVG file uploaded to the neos/management/media component. The vulnerability was discovered in August 2023 and was subsequently patched in multiple versions including 7.3.19, 8.0.16, 8.1.11, 8.2.11, and 8.3.9 (GitHub PR).

The vulnerability exists in the media management component of Neos CMS where SVG files can be uploaded. When a malicious SVG file containing JavaScript code is uploaded and accessed directly in the browser, the embedded malicious code executes in the context of the user's browser. The vulnerability received a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated attackers to execute arbitrary JavaScript code in the context of other users' browsers who access the malicious SVG file directly. This can lead to session hijacking, credential theft, and further compromise of users who have access to the media management section. The attacker can potentially hook victims' browsers and send interactive JavaScript commands, enabling more sophisticated attacks (Medium Blog).

The vulnerability has been patched in multiple Neos CMS versions: 7.3.19, 8.0.16, 8.1.11, 8.2.11, and 8.3.9. The fix includes implementing checks for malicious content in SVG files before providing original asset URL links. When malicious content is detected, direct links to the original URL are removed from the preview pages and a warning is displayed (GitHub PR).