CVE-2023-49087: 
PHP vulnerability analysis and mitigation

CVE-2023-49087 affects xml-security, a library that implements XML signatures and encryption. The vulnerability was discovered and disclosed on November 30, 2023, impacting versions before 1.6.12 and 5.0.0-alpha.13. The issue lies in the validation process of XML signatures, specifically in how the library handles the verification of DigestValue in SignedInfo elements (NVD, GitHub Advisory).

The vulnerability stems from a mismatch in signature validation processes. While the signature is calculated over the canonical version of the SignedInfo-tree, the validateReference method uses the original non-canonicalized version of SignedInfo. This discrepancy could potentially be exploited if an attacker manages to manipulate the canonicalized version's DigestValue through potential bugs in PHP's canonicalization function. The vulnerability has been assigned a CVSS v3.1 base score of 6.8 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N, indicating a network-accessible vulnerability with high attack complexity (GitHub Advisory).

If successfully exploited, the vulnerability could allow an attacker to potentially forge signatures by manipulating the DigestValue in the canonicalized version. This could lead to unauthorized modifications of signed data, compromising the integrity of the XML signature validation process (GitHub Advisory).

The vulnerability has been patched in xml-security version 1.6.12 and 5.0.0-alpha.13. Users are advised to upgrade to these or later versions to address the security issue (NVD).