CVE-2023-49006: 
PHP vulnerability analysis and mitigation

Cross Site Request Forgery (CSRF) vulnerability was discovered in Phpsysinfo version 3.4.3, affecting the XML.php file. The vulnerability was disclosed on December 19, 2023, and allows remote attackers to obtain sensitive information through a crafted page (NVD, CVE).

The vulnerability exists in the JSONP data mode functionality of the XML.php file, which allows attackers to perform JSONP hijacking. When a user visits a specially crafted page, the attacker can retrieve JSON data from the vulnerable system. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N (NVD).

The exploitation of this vulnerability could lead to the disclosure of sensitive information including internal network information, IP addresses, server names, and network topologies. This exposed data could potentially be used by attackers to map internal network structures and identify additional targets for more targeted attacks (GitHub Issue).

The vulnerability has been patched by disabling the JSONP data mode by default for security reasons. The fix was implemented in commit 4f2cee505e4f2e9b369a321063ff2c5e0c34ba45. Users should upgrade to the patched version or ensure JSONP data mode is disabled in their configuration (GitHub Commit).