CVE-2023-6551: 
PHP vulnerability analysis and mitigation

CVE-2023-6551 is a vulnerability discovered in the class.upload.php library, an open-source project maintained by Colin Verot. The vulnerability was identified and disclosed on January 4, 2024. The issue affects all versions of the library and involves insufficient validation of uploaded files (CERT Advisory).

The vulnerability is classified as an Unrestricted Upload of File with Dangerous Type (CWE-434). The library does not perform adequate in-depth checks on uploaded files, which can lead to a stored Cross-Site Scripting (XSS) vulnerability when using the default configuration. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability could allow an attacker to execute stored XSS attacks through uploaded files. This poses a security risk particularly when the library is used with its default configuration, potentially leading to unauthorized script execution in the context of other users' browsers (CERT Advisory).

The vendor has acknowledged the vulnerability but has decided not to remove it from the library. Instead, developers are advised to implement specific security measures: use extension whitelisting for uploaded files and configure the server to always provide content-type based on file extensions. These guidelines have been added to the project's README documentation (CERT Advisory).