CVE-2024-25875: 
PHP vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in the Header module of Enhavo CMS version 0.13.1. The vulnerability was disclosed on February 22, 2024, and is tracked as CVE-2024-25875. The vulnerability affects the Undertitle text field in the Header module of Enhavo CMS, allowing attackers to execute arbitrary web scripts or HTML via crafted payloads (NVD, FortiGuard).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue (CWE-79) that exists in the Header module's Undertitle field. The CVSS v3.1 base score is 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires user interaction, has a network attack vector, and can potentially impact both confidentiality and integrity at a low level (NVD).

When successfully exploited, this vulnerability allows attackers to execute arbitrary web scripts or HTML in the context of the user's browser. The stored nature of the XSS means that the malicious payload persists in the application and executes whenever the affected page is accessed, potentially affecting multiple users (GitHub POC).

Users should avoid using versions <=0.13.1 of the enhavo/enhavo-app package. The vulnerability has been identified and reported, but specific patch information is not yet publicly available (FortiGuard).