CVE-2023-46947: 
PHP vulnerability analysis and mitigation

Subrion 4.2.1 contains a remote command execution (RCE) vulnerability in the backend system. The vulnerability was discovered and disclosed on October 26, 2023, affecting the latest version of Subrion CMS 4.2.1. This security issue has been assigned CVE-2023-46947 with a CVSS v3.1 base score of 8.8 (HIGH) (NVD).

The vulnerability exists in the backend system's Hooks functionality within the System module. The attack vector involves manipulating the sitemapGeneration hook to achieve arbitrary code execution. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) and has a CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with low attack complexity and requiring low privileges (NVD, GitHub Issue).

The vulnerability allows an authenticated attacker with access to the backend system to execute arbitrary PHP code on the affected server. This can lead to complete system compromise, including the ability to read, write, or modify files on the server, and potentially gain full control of the affected system (NVD).

As of the current data, there is no official patch available for this vulnerability. The suggested mitigation approach is to filter dangerous functions and content before writing files to the system, as proposed in the issue report (GitHub Issue).