CVE-2023-44383: 
PHP vulnerability analysis and mitigation

CVE-2023-44383 is a stored Cross-Site Scripting (XSS) vulnerability affecting October CMS, a Content Management System and web platform. The vulnerability was discovered in versions above 3.0 and was patched in version 3.5.2. The issue allows authenticated users with access to the media manager to create stored XSS attacks through SVG file uploads when SVG files are supported (GitHub Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 base score of 5.4 (Medium). The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring low privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C) with low confidentiality (C:L) and integrity (I:L) impacts, and no availability impact (A:N) (NVD).

When exploited, this vulnerability allows authenticated users to execute stored XSS attacks against themselves and other users who have access to the media manager. The attack is possible when SVG files are supported, which is the default configuration in version 3 (GitHub Advisory).

The vulnerability has been patched in version 3.5.2 by implementing an SVG sanitizer. For new installations, the sanitizer is enabled by default through the 'clean_vectors' => true configuration in config/media.php. For existing installations, this setting must be manually enabled. As a workaround for unpatched systems, administrators can remove the SVG extension from the list of supported file types (GitHub Advisory, GitHub Commit).