CVE-2023-47350: 
PHP vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability in SwiftyEdit Content Management System prior to v1.2.0, allows remote attackers to escalate privileges via the user password update functionality. The vulnerability was discovered in November 2023 and affects all versions of SwiftyEdit CMS before version 1.2.0 (NVD, Mechaneus).

The vulnerability is classified as CWE-352: Cross-Site Request Forgery (CSRF) with a CVSS v3.1 base score of 8.8 (HIGH) - Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue stems from the web application's failure to employ CSRF tokens in the 'Update Password' functionality within the user 'Profile' section. This security flaw enables unauthorized password changes on user accounts, particularly when targeting administrators (Mechaneus).

The vulnerability allows an unauthenticated attacker to escalate privileges to administrator level by tricking an administrator into executing malicious HTML markup that triggers a password change. Once the attacker gains administrator access, they can create, edit, and delete any content in the CMS, as well as modify or remove users with any privilege level (Mechaneus).

The vulnerability has been patched in SwiftyEdit version 1.2.0 through the implementation of CSRF tokens for all forms. The fix includes adding hidden CSRF tokens and validation checks for all POST actions. Users are advised to upgrade to version 1.2.0 or later (GitHub Patch).