CVE-2025-2123: 
PHP vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability has been identified in GeSHi versions up to 1.0.9.1, discovered on March 8, 2025. The vulnerability affects the get_var function in the /contrib/cssgen.php file of the CSS Handler component. This security issue impacts systems that use composer to install the GeSHi library and have not removed the contrib directory, including popular platforms like Dokuwiki, Mambo, phpBB, and WikkaWiki (GitHub Issue).

The vulnerability stems from improper input validation in the get_var function within the cssgen.php file. The function fails to properly sanitize or escape user input parameters, including default-styles, keywords-1, keywords-2, keywords-3, keywords-4, and comments. The CVSS v3.1 base score is 3.5 (LOW), with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Code Injection) (VulDB).

Successful exploitation of this vulnerability allows remote attackers to inject malicious HTML code into the cssgen.php file, which can be executed when users view the affected page. The attack primarily impacts the integrity of the system and requires user interaction for successful exploitation (VulDB).

Currently, there is no official patch or mitigation strategy announced. It is recommended to consider replacing the affected component with an alternative product until a security fix is available (VulDB).