CVE-2024-46998: 
PHP vulnerability analysis and mitigation

baserCMS, a website development framework, was found to contain a cross-site scripting (XSS) vulnerability in versions prior to 5.1.2. The vulnerability was discovered in the Edit Email Form Settings Feature and was assigned CVE-2024-46998. The issue was disclosed on October 24, 2024, and was patched in version 5.1.2 (NVD, GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) by GitHub with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N, indicating network attack vector, low attack complexity, low privileges required, and no user interaction needed. The NVD has assigned a different CVSS score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability allows malicious code execution in the Edit Email Form Settings feature, potentially compromising the security of the affected systems. The impact primarily affects confidentiality and integrity of the system, with no direct impact on availability (GitHub Advisory).

The recommended mitigation is to update to baserCMS version 5.1.2 or later, which contains the fix for this vulnerability (NVD, GitHub Advisory).