CVE-2023-48701: 
PHP vulnerability analysis and mitigation

Statamic CMS, a Laravel and Git powered content management system, was found to have a vulnerability (CVE-2023-48701) where HTML files crafted to look like images could be uploaded regardless of mime validation. This vulnerability affects versions prior to 3.4.15 and 4.36.0, specifically impacting front-end forms using the 'Forms' feature containing an assets field, as well as the control panel where authentication is required (Vendor Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. However, GitHub's assessment rates it higher at 7.5 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:H. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows attackers to upload HTML files disguised as images, potentially leading to Cross-Site Scripting (XSS) attacks. This affects both the front-end forms with asset fields and the authenticated control panel interface (Vendor Advisory).

The vulnerability has been patched in versions 3.4.15 and 4.36.0. The fix includes improvements to file extension validation and appropriate file extension application when uploading (Release Notes, Release Notes).