GHSA-vgxh-x8jv-hmff: 
PHP vulnerability analysis and mitigation

A high severity code execution vulnerability (GHSA-vgxh-x8jv-hmff) was discovered in the Silverstripe Framework affecting versions >= 4.0.3-rc1, < 4.0.4 and >= 4.1.0-rc1, < 4.1.1. The vulnerability was disclosed on May 24, 2018, and allows arbitrary global functions to be executed through malicious user input passed to the second argument of ViewableData::renderWith (Silverstripe Advisory).

The vulnerability exists in the ViewableData::renderWith method where associative arrays are resolved as template placeholders. The exploit requires user code that utilizes the second argument in renderWith and passes user input directly as a value in an associative array without proper sanitization (such as Convert::raw2xml()). The vulnerability has a CVSS v3.1 base score of 7.5 (High) with the following metrics: Network attack vector, High complexity, Low privileges required, No user interaction, Unchanged scope, and High impact on confidentiality, integrity, and availability (GitHub Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary global functions through malicious user input, potentially leading to unauthorized code execution on the affected system. The vulnerability has high impact ratings for confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability has been patched in Silverstripe Framework versions 4.0.4 and 4.1.1. Users should upgrade to these or later versions. It's worth noting that ViewableData::customise is not vulnerable to this exploit (Silverstripe Advisory).