CVE-2024-35498: 
PHP vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in Grav CMS version 1.7.45. The vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload, particularly affecting users with restricted page creation privileges (NVD, Medium Blog).

The vulnerability exists due to insufficient input validation in the page creation functionality. Users with restricted page creation privileges can bypass JavaScript restrictions by exploiting the ondblclick event in HTML tags, specifically using the anchor tag. While direct JavaScript insertion is blocked, attackers can leverage HTML events to execute malicious scripts. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers, including administrators. The impact extends to all users who visit the affected pages, potentially leading to session hijacking, data theft, or further system compromise (GitHub POC).

As of the current information available, there is no official patch released. However, administrators should implement robust input validation and content filtering measures to prevent the execution of unauthorized scripts. Additionally, restricting the use of dangerous HTML tags and implementing proper content security policies can help mitigate the risk (GitHub POC).