CVE-2024-47618: 
PHP vulnerability analysis and mitigation

Sulu, a PHP content management system, was found to be vulnerable to Cross-Site Scripting (XSS) in versions 2.0.0 through 2.6.4. The vulnerability was discovered and disclosed on October 3, 2024, and was assigned CVE-2024-47618. The issue affects the Media section of the CMS, where low-privileged users can upload SVG files containing malicious payloads (GitHub Advisory).

The vulnerability exists in the web filtering functionality where SVG files with malicious payloads can be uploaded through the Media section. When these SVG files are accessed, the malicious JavaScript code embedded within them is executed in the victims' browsers, including administrators. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers with low-privileged access to execute arbitrary JavaScript code in the browsers of other users, including administrators, who access the uploaded malicious SVG files. This could lead to session hijacking, credential theft, or other client-side attacks (GitHub Advisory).

The vulnerability has been patched in Sulu version 2.6.5. Users are strongly advised to upgrade to this version or later to protect against this security issue. The fix includes implementation of proper SVG file sanitization and validation mechanisms (GitHub Advisory).