CVE-2023-49052: 
PHP vulnerability analysis and mitigation

File Upload vulnerability in Microweber version 2.0.4 allows remote attackers to execute arbitrary code through the file upload function in created forms component. The vulnerability was discovered on November 14, 2023, and affects the File Upload feature in Microweber CMS forms, even when certain types of file validation are enabled (GitHub Report, GitHub CVE).

The vulnerability exists in the file upload functionality of created forms where malicious HTML files can be uploaded despite validation measures being in place. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 HIGH with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue bypasses file type restrictions, including when 'Image Files' and custom file type validations like 'jpg' are configured (NVD Database).

The successful exploitation of this vulnerability allows attackers to upload and execute malicious scripts that can lead to various harmful activities, including theft of session cookies, login credentials compromise, unauthorized redirects, and potential malware installation. The vulnerability provides attackers with the ability to execute arbitrary code on the affected system (GitHub Report).

The recommended mitigation is to update to the latest version of Microweber (version 2.0.5 or later) which contains fixes for this vulnerability (GitHub CVE).