CVE-2023-43647: 
PHP vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in the file upload feature of baserCMS, a website development framework, affecting versions prior to 4.8.0. The vulnerability was identified and tracked as CVE-2023-43647, with disclosure occurring in October 2023. The issue affects all versions of baserCMS up to version 4.7.8 (GitHub Advisory).

The vulnerability is classified as a moderate severity issue with a CVSS v3.1 base score of 5.4 (MEDIUM) according to NVD, and 6.1 (MEDIUM) according to GitHub. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction. The scope is changed, with low impact on both confidentiality and integrity, and no impact on availability (NVD).

The vulnerability could allow malicious code execution through the file upload feature when the management system is used by an unspecified number of users. This poses a particular risk when the system is accessed by multiple users with varying levels of trust (GitHub Advisory).

The vulnerability has been patched in baserCMS version 4.8.0. Users are strongly advised to update to this version or later to address the security issue. The fix involves implementing proper input validation and output encoding in the file upload feature (GitHub Advisory).

The vulnerability was discovered and reported by Shiga Takuma from BroadBand Security, Inc. The vendor has acknowledged the issue and provided a fix in a timely manner (GitHub Advisory).