CVE-2023-44763: 
PHP vulnerability analysis and mitigation

Concrete CMS v9.2.1 was reported to be affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting (XSS). This vulnerability was assigned CVE-2023-44763 and has been marked as DISPUTED. The vendor's position is that customers are supposed to know that "pdf" should be excluded from the allowed file types, even though pdf is one of the allowed file types in the default configuration (NVD).

The vulnerability was reported to exist in the "Thumbnail" file upload functionality where insufficient file upload sanitization allows uploading of PDF/SVG/HTML files containing hidden XSS payloads. The attack can be executed by uploading a specially crafted PDF file containing JavaScript code like 'app.alert("XSS");' generated using the JS2PDFInjector tool. The CVSS v3.1 base score is 5.4 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD, GitHub POC).

If successfully exploited, this vulnerability could allow an authenticated attacker to execute arbitrary JavaScript code in the context of other users' browsers when they view the uploaded malicious file, potentially leading to theft of sensitive information or session hijacking (GitHub POC).

According to the vendor, the vulnerability can be mitigated by properly configuring the allowed file types. The vendor recommends: 1) Setting uploaded files other than images to text/plain, 2) Configuring minimum necessary allowable file types via dashboard/system/files/filetypes, 3) Excluding specific file types from upload permissions, 4) Using concrete.php configuration file to restrict allowed file extensions (Concrete Advisory).

The vendor has formally rejected this CVE and requested MITRE to close it, stating that validating file uploads is not in scope of their security program. They have indicated they may consider adding health report checks and disabling PDF uploads by default in future releases to help less experienced users (Concrete Advisory).