CVE-2023-47380: 
PHP vulnerability analysis and mitigation

Admidio v4.2.12 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. The vulnerability was identified and reported by Ramshath M from Astra Security, leading to the release of version 4.2.13 on November 1, 2023, which includes the patch (Admidio Release, Astra Blog).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) attack, where malicious code can be inserted into a trusted website. The attack occurs within a single request/response cycle, with the malicious code included in the request to the vulnerable web application and subsequently reflected in the user's server's HTTP response. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The Reflected XSS vulnerability can lead to several significant impacts including data theft, session hijacking, and potential website defacement. Attackers could steal user data including cookies and personal information, allowing them to impersonate users and execute unauthorized actions. Additionally, the vulnerability could be exploited to propagate malware or ransomware, and manipulate web page content (Astra Blog).

The vulnerability has been patched in Admidio version 4.2.13. Users are strongly recommended to upgrade to this version to protect against the XSS vulnerability. The update includes fixes to SQL handling and ensures continued compatibility with Postgres (Admidio Release).

The vulnerability was discovered and reported by Astra Security's team, who promptly notified Admidio's developers along with possible solutions. The Admidio team acknowledged this as a medium severity security vulnerability and recommended users to upgrade to version 4.2.13 as soon as possible (Admidio Blog).