GHSA-g43w-98wp-m694: 
PHP vulnerability analysis and mitigation

A low-level vulnerability (GHSA-g43w-98wp-m694) was identified in the SilverStripe framework, known as the XML Quadratic Blowup Attack. The vulnerability was discovered in August 2014 and affected SilverStripe framework versions 3.1.0 through 3.1.11. The issue was patched in version 3.1.12, released on March 20, 2015 (SilverStripe Advisory).

The vulnerability has been assigned a CVSS v3.1 score of 5.3 (Moderate severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The issue is classified under CWE-400 and CWE-776, relating to uncontrolled resource consumption and XML entity expansion. The vulnerability could be exploited through XML processing without proper entity expansion controls (GitHub Advisory).

The vulnerability could potentially be exploited to affect the performance of a site through XML entity expansion, leading to a denial of service condition. The attack specifically targets the availability of the system, with no direct impact on confidentiality or integrity (GitHub Advisory).

The vulnerability was fixed in SilverStripe framework version 3.1.12. The fix includes implementation of XML entity expansion controls and doctype validation options in the XML processing functionality (Framework Commit).