Search criteria
21 vulnerabilities found for winter by wintercms
FKIE_CVE-2024-54149
Vulnerability from fkie_nvd - Published: 2024-12-09 21:15 - Updated: 2025-06-24 16:34
Severity ?
Summary
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Winter CMS prior to versions 1.2.7, 1.1.11, and 1.0.476 allow users with access to the CMS templates sections that modify Twig files to bypass the sandbox placed on Twig files and modify resources such as theme customisation values or modify, or remove, templates in the theme even if not provided direct access via the permissions. As all objects passed through to Twig are references to the live objects, it is also possible to also manipulate model data if models are passed directly to Twig, including changing attributes or even removing records entirely. In most cases, this is unwanted behavior and potentially dangerous. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any of the following permissions: `cms.manage_layouts`; `cms.manage_pages`; or `cms.manage_partials`. The Winter CMS maintainers strongly recommend that these permissions only be reserved to trusted administrators and developers in general. The maintainers of Winter CMS have significantly increased the scope of the sandbox, effectively making all models and datasources read-only in Twig, in versions 1.2.7, 1.1.11, and 1.0.476. Thse who cannot upgrade may apply commit fb88e6fabde3b3278ce1844e581c87dcf7daee22 to their Winter CMS installation manually to resolve the issue. In the rare event that a Winter user was relying on being able to write to models/datasources within their Twig templates, they should instead use or create components to make changes to their models.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1E8EB972-6FC7-459A-8735-317B16D3D13A",
"versionEndExcluding": "1.0.476",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*",
"matchCriteriaId": "28405A57-E2C5-4D35-81D5-6291250A6DA6",
"versionEndExcluding": "1.1.11",
"versionStartIncluding": "1.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3A50B227-4218-4AA1-BC31-814F12645061",
"versionEndExcluding": "1.2.7",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Winter CMS prior to versions 1.2.7, 1.1.11, and 1.0.476 allow users with access to the CMS templates sections that modify Twig files to bypass the sandbox placed on Twig files and modify resources such as theme customisation values or modify, or remove, templates in the theme even if not provided direct access via the permissions. As all objects passed through to Twig are references to the live objects, it is also possible to also manipulate model data if models are passed directly to Twig, including changing attributes or even removing records entirely. In most cases, this is unwanted behavior and potentially dangerous. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any of the following permissions: `cms.manage_layouts`; `cms.manage_pages`; or `cms.manage_partials`. The Winter CMS maintainers strongly recommend that these permissions only be reserved to trusted administrators and developers in general. The maintainers of Winter CMS have significantly increased the scope of the sandbox, effectively making all models and datasources read-only in Twig, in versions 1.2.7, 1.1.11, and 1.0.476. Thse who cannot upgrade may apply commit fb88e6fabde3b3278ce1844e581c87dcf7daee22 to their Winter CMS installation manually to resolve the issue. In the rare event that a Winter user was relying on being able to write to models/datasources within their Twig templates, they should instead use or create components to make changes to their models."
},
{
"lang": "es",
"value": "Winter es un sistema de gesti\u00f3n de contenido (CMS) gratuito y de c\u00f3digo abierto basado en el marco PHP Laravel. Las versiones anteriores a las 1.2.7, 1.1.11 y 1.0.476 de Winter CMS permiten a los usuarios con acceso a las secciones de plantillas de CMS que modifican archivos Twig eludir la zona protegida colocada en los archivos Twig y modificar recursos como los valores de personalizaci\u00f3n del tema o modificar o eliminar plantillas en el tema incluso si no se les proporciona acceso directo a trav\u00e9s de los permisos. Como todos los objetos que pasan a trav\u00e9s de Twig son referencias a los objetos activos, tambi\u00e9n es posible manipular los datos del modelo si los modelos se pasan directamente a Twig, incluido el cambio de atributos o incluso la eliminaci\u00f3n de registros por completo. En la mayor\u00eda de los casos, este es un comportamiento no deseado y potencialmente peligroso. Para explotar activamente este problema de seguridad, un atacante necesitar\u00eda acceso al backend con una cuenta de usuario con cualquiera de los siguientes permisos: `cms.manage_layouts`; `cms.manage_pages`; o `cms.manage_partials`. El fabricante Winter CMS recomienda encarecidamente que estos permisos se reserven \u00fanicamente para administradores y desarrolladores de confianza en general. Los encargados del mantenimiento de Winter CMS han aumentado significativamente el alcance de la sandbox, haciendo que todos los modelos y fuentes de datos sean de solo lectura en Twig, en las versiones 1.2.7, 1.1.11 y 1.0.476. Aquellos que no puedan actualizar pueden aplicar el commit. fb88e6fabde3b3278ce1844e581c87dcf7daee22 a su instalaci\u00f3n de Winter CMS manualmente para resolver el problema. En el caso poco frecuente de que un usuario de Winter dependa de poder escribir en modelos/fuentes de datos dentro de sus plantillas de Twig, deber\u00eda usar o crear componentes para realizar cambios en sus modelos."
}
],
"id": "CVE-2024-54149",
"lastModified": "2025-06-24T16:34:55.680",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-12-09T21:15:08.600",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/wintercms/winter/commit/fb88e6fabde3b3278ce1844e581c87dcf7daee22"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-xhw3-4j3m-hq53"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-184"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-29686
Vulnerability from fkie_nvd - Published: 2024-03-29 16:15 - Updated: 2025-05-28 19:04
Severity ?
Summary
Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. NOTE: the vendor disputes this because the payload could only be entered by a trusted user, such as the owner of the server that hosts Winter CMS, or a developer working for them.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wintercms:winter:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "BA910FF6-7A57-499A-8E58-0E9BA52415C4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. NOTE: the vendor disputes this because the payload could only be entered by a trusted user, such as the owner of the server that hosts Winter CMS, or a developer working for them."
},
{
"lang": "es",
"value": "Vulnerabilidad de Server-side Template Injection (SSTI) en Winter CMS v.1.2.3 permite a un atacante remoto ejecutar c\u00f3digo arbitrario a trav\u00e9s de un payload manipulado en el campo P\u00e1ginas del CMS y los componentes del complemento. NOTA: el proveedor cuestiona esto porque el payload solo puede ser ingresada por un usuario confiable, como el propietario del servidor que aloja Winter CMS, o un desarrollador que trabaja para ellos."
}
],
"id": "CVE-2024-29686",
"lastModified": "2025-05-28T19:04:33.710",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-03-29T16:15:08.047",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://forum.ksec.co.uk/t/webapps-winter-cms-1-2-3-server-side-template-injection-ssti-authenticated/2779"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://wintercms.com/docs/v1.2/docs/cms/themes#template-structure"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.exploit-db.com/exploits/51893"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://forum.ksec.co.uk/t/webapps-winter-cms-1-2-3-server-side-template-injection-ssti-authenticated/2779"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://wintercms.com/docs/v1.2/docs/cms/themes#template-structure"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.exploit-db.com/exploits/51893"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-97"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-52085
Vulnerability from fkie_nvd - Published: 2023-12-29 00:15 - Updated: 2024-11-21 08:39
Severity ?
3.3 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1EE69DF4-BDE7-4A22-9947-BBD648026BA4",
"versionEndExcluding": "1.2.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4."
},
{
"lang": "es",
"value": "Winter es un sistema de gesti\u00f3n de contenidos gratuito y de c\u00f3digo abierto. Los usuarios con acceso a formularios backend que incluyen un ColorPicker FormWidget pueden proporcionar un valor que luego se incluir\u00eda sin procesamiento adicional en la compilaci\u00f3n de hojas de estilo personalizadas a trav\u00e9s de LESS. Esto ten\u00eda el potencial de provocar una vulnerabilidad de inclusi\u00f3n de archivos locales. Este problema se solucion\u00f3 en la versi\u00f3n 1.2.4."
}
],
"id": "CVE-2023-52085",
"lastModified": "2024-11-21T08:39:08.413",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.7,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-29T00:15:50.300",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/wintercms/winter/commit/5bc9257fe2bc47d8b786a1b1bf96bafad23d8ddd"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-2x7r-93ww-cxrq"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/wintercms/winter/commit/5bc9257fe2bc47d8b786a1b1bf96bafad23d8ddd"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-2x7r-93ww-cxrq"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-52083
Vulnerability from fkie_nvd - Published: 2023-12-28 23:15 - Updated: 2024-11-21 08:39
Severity ?
2.0 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
Winter is a free, open-source content management system. Prior to 1.2.4, users with the `media.manage_media` permission can upload files to the Media Manager and rename them after uploading. Previously, media manager files were only sanitized on upload, not on renaming, which could have allowed a stored XSS attack. This issue has been patched in v1.2.4.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1EE69DF4-BDE7-4A22-9947-BBD648026BA4",
"versionEndExcluding": "1.2.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Winter is a free, open-source content management system. Prior to 1.2.4, users with the `media.manage_media` permission can upload files to the Media Manager and rename them after uploading. Previously, media manager files were only sanitized on upload, not on renaming, which could have allowed a stored XSS attack. This issue has been patched in v1.2.4."
},
{
"lang": "es",
"value": "Winter es un sistema de gesti\u00f3n de contenidos gratuito y de c\u00f3digo abierto. Antes de 1.2.4, los usuarios con el permiso `media.manage_media` pod\u00edan cargar archivos en el Media Manager y cambiarles el nombre despu\u00e9s de cargarlos. Anteriormente, los archivos del Media Manager solo se sanitizaban al cargarlos, no al cambiarles el nombre, lo que podr\u00eda haber permitido un ataque XSS almacenado. Este problema se solucion\u00f3 en la versi\u00f3n 1.2.4."
}
],
"id": "CVE-2023-52083",
"lastModified": "2024-11-21T08:39:08.150",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.0,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-28T23:15:43.557",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/wintercms/winter/commit/2969daeea8dee64d292dbaa3778ea251e2a7e491"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-4wvw-75qh-fqjp"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/wintercms/winter/commit/2969daeea8dee64d292dbaa3778ea251e2a7e491"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-4wvw-75qh-fqjp"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-52084
Vulnerability from fkie_nvd - Published: 2023-12-28 23:15 - Updated: 2024-11-21 08:39
Severity ?
2.0 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issue has been patched in v1.2.4.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1EE69DF4-BDE7-4A22-9947-BBD648026BA4",
"versionEndExcluding": "1.2.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issue has been patched in v1.2.4."
},
{
"lang": "es",
"value": "Winter es un sistema de gesti\u00f3n de contenidos gratuito y de c\u00f3digo abierto. Antes de 1.2.4, los usuarios con acceso a formularios de backend que incluyen un FormWidget ColorPicker pueden proporcionar un valor que luego se mostrar\u00eda sin formato de escape en el formulario de backend, lo que podr\u00eda permitir un ataque XSS almacenado. Este problema se solucion\u00f3 en la versi\u00f3n 1.2.4."
}
],
"id": "CVE-2023-52084",
"lastModified": "2024-11-21T08:39:08.280",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.0,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-28T23:15:43.777",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/wintercms/winter/commit/517f65dfae679b57575b047de13c5af48915a5ba"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-43w4-4j3c-jx29"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/wintercms/winter/commit/517f65dfae679b57575b047de13c5af48915a5ba"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-43w4-4j3c-jx29"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-37269
Vulnerability from fkie_nvd - Published: 2023-07-07 22:15 - Updated: 2024-11-21 08:11
Severity ?
2.0 (Low) - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Summary
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Users with the `backend.manage_branding` permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a stored cross-site scripting (XSS) attack. To exploit the vulnerability, an attacker would already need to have developer or super user level permissions in Winter CMS. This means they would already have extensive access and control within the system. Additionally, to execute the XSS, the attacker would need to convince the victim to directly visit the URL of the maliciously uploaded SVG, and the application would have to be using local storage where uploaded files are served under the same domain as the application itself instead of a CDN. This is because all SVGs in Winter CMS are rendered through an `img` tag, which prevents any payloads from being executed directly. These two factors significantly limit the potential harm of this vulnerability. This issue has been patched in v1.2.3 through the inclusion of full support for SVG uploads and automatic sanitization of uploaded SVG files. As a workaround, one may apply the patches manually.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F876B358-C52D-448E-A902-D2FF56361DC1",
"versionEndExcluding": "1.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Users with the `backend.manage_branding` permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a stored cross-site scripting (XSS) attack. To exploit the vulnerability, an attacker would already need to have developer or super user level permissions in Winter CMS. This means they would already have extensive access and control within the system. Additionally, to execute the XSS, the attacker would need to convince the victim to directly visit the URL of the maliciously uploaded SVG, and the application would have to be using local storage where uploaded files are served under the same domain as the application itself instead of a CDN. This is because all SVGs in Winter CMS are rendered through an `img` tag, which prevents any payloads from being executed directly. These two factors significantly limit the potential harm of this vulnerability. This issue has been patched in v1.2.3 through the inclusion of full support for SVG uploads and automatic sanitization of uploaded SVG files. As a workaround, one may apply the patches manually."
}
],
"id": "CVE-2023-37269",
"lastModified": "2024-11-21T08:11:21.633",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.0,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.5,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-07T22:15:09.483",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/173520/WinterCMS-1.2.2-Cross-Site-Scripting.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/wintercms/storm/commit/186d85d8fea2cae43afc807d39f68553c24e56be"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/wintercms/winter/commit/fa50b4c7489b67ea80072f8ac9fe5294fce1df1c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/wintercms/winter/releases/tag/v1.2.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/173520/WinterCMS-1.2.2-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/wintercms/storm/commit/186d85d8fea2cae43afc807d39f68553c24e56be"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/wintercms/winter/commit/fa50b4c7489b67ea80072f8ac9fe5294fce1df1c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/wintercms/winter/releases/tag/v1.2.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-39357
Vulnerability from fkie_nvd - Published: 2022-10-26 15:15 - Updated: 2024-11-21 07:18
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Winter is a free, open-source content management system based on the Laravel PHP framework. The Snowboard framework in versions 1.1.8, 1.1.9, and 1.2.0 is vulnerable to prototype pollution in the main Snowboard class as well as its plugin loader. The 1.0 branch of Winter is not affected, as it does not contain the Snowboard framework. This issue has been patched in v1.1.10 and v1.2.1. As a workaround, one may avoid this issue by following some common security practices for JavaScript, including implementing a content security policy and auditing scripts.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wintercms:winter:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "25F4ACF9-EC8A-4364-B2BA-85E84249BC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wintercms:winter:1.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "76A06D2A-A8E4-4806-8CE0-B0D80F1AC67C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wintercms:winter:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0DB89CAA-64A8-45A4-8A78-F1C79908C96B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Winter is a free, open-source content management system based on the Laravel PHP framework. The Snowboard framework in versions 1.1.8, 1.1.9, and 1.2.0 is vulnerable to prototype pollution in the main Snowboard class as well as its plugin loader. The 1.0 branch of Winter is not affected, as it does not contain the Snowboard framework. This issue has been patched in v1.1.10 and v1.2.1. As a workaround, one may avoid this issue by following some common security practices for JavaScript, including implementing a content security policy and auditing scripts."
},
{
"lang": "es",
"value": "Winter es un sistema de administraci\u00f3n de contenidos gratuito y de c\u00f3digo abierto basado en el framework PHP Laravel. El framework Snowboard en versiones 1.1.8, 1.1.9 y 1.2.0, es vulnerable a una contaminaci\u00f3n de prototipos en la clase principal de Snowboard as\u00ed como en su cargador de plugins. La rama 1.0 de Winter no est\u00e1 afectada, ya que no contiene el framework Snowboard. Este problema ha sido parcheado en versiones 1.1.10 y 1.2.1. Como mitigaci\u00f3n, puede evitarse este problema siguiendo algunas pr\u00e1cticas comunes de seguridad para JavaScript, incluyendo la implementaci\u00f3n de una pol\u00edtica de seguridad de contenidos y la auditor\u00eda de scripts"
}
],
"id": "CVE-2022-39357",
"lastModified": "2024-11-21T07:18:06.553",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-26T15:15:20.250",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wintercms/winter/commit/2a13faf99972e84c9661258f16c4750fa99d29a1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wintercms/winter/commit/bce4b59584abf961e9400af3d7a4fd7638e26c7f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/wintercms/winter/releases/tag/v1.1.10"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/wintercms/winter/releases/tag/v1.2.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-3fh5-q6fg-w28q"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wintercms/winter/commit/2a13faf99972e84c9661258f16c4750fa99d29a1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wintercms/winter/commit/bce4b59584abf961e9400af3d7a4fd7638e26c7f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/wintercms/winter/releases/tag/v1.1.10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/wintercms/winter/releases/tag/v1.2.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-3fh5-q6fg-w28q"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1321"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-54149 (GCVE-0-2024-54149)
Vulnerability from cvelistv5 – Published: 2024-12-09 20:54 – Updated: 2024-12-10 17:13
VLAI?
Title
Winter CMS Modules allows a sandbox bypass in Twig templates leading to data modification and deletion
Summary
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Winter CMS prior to versions 1.2.7, 1.1.11, and 1.0.476 allow users with access to the CMS templates sections that modify Twig files to bypass the sandbox placed on Twig files and modify resources such as theme customisation values or modify, or remove, templates in the theme even if not provided direct access via the permissions. As all objects passed through to Twig are references to the live objects, it is also possible to also manipulate model data if models are passed directly to Twig, including changing attributes or even removing records entirely. In most cases, this is unwanted behavior and potentially dangerous. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any of the following permissions: `cms.manage_layouts`; `cms.manage_pages`; or `cms.manage_partials`. The Winter CMS maintainers strongly recommend that these permissions only be reserved to trusted administrators and developers in general. The maintainers of Winter CMS have significantly increased the scope of the sandbox, effectively making all models and datasources read-only in Twig, in versions 1.2.7, 1.1.11, and 1.0.476. Thse who cannot upgrade may apply commit fb88e6fabde3b3278ce1844e581c87dcf7daee22 to their Winter CMS installation manually to resolve the issue. In the rare event that a Winter user was relying on being able to write to models/datasources within their Twig templates, they should instead use or create components to make changes to their models.
Severity ?
8.5 (High)
CWE
- CWE-184 - Incomplete List of Disallowed Inputs
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-54149",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-10T16:11:07.059128Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T17:13:11.005Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "winter",
"vendor": "wintercms",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.7"
},
{
"status": "affected",
"version": "\u003e= 1.1.0, \u003c 1.1.11"
},
{
"status": "affected",
"version": "\u003c 1.0.476"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Winter CMS prior to versions 1.2.7, 1.1.11, and 1.0.476 allow users with access to the CMS templates sections that modify Twig files to bypass the sandbox placed on Twig files and modify resources such as theme customisation values or modify, or remove, templates in the theme even if not provided direct access via the permissions. As all objects passed through to Twig are references to the live objects, it is also possible to also manipulate model data if models are passed directly to Twig, including changing attributes or even removing records entirely. In most cases, this is unwanted behavior and potentially dangerous. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any of the following permissions: `cms.manage_layouts`; `cms.manage_pages`; or `cms.manage_partials`. The Winter CMS maintainers strongly recommend that these permissions only be reserved to trusted administrators and developers in general. The maintainers of Winter CMS have significantly increased the scope of the sandbox, effectively making all models and datasources read-only in Twig, in versions 1.2.7, 1.1.11, and 1.0.476. Thse who cannot upgrade may apply commit fb88e6fabde3b3278ce1844e581c87dcf7daee22 to their Winter CMS installation manually to resolve the issue. In the rare event that a Winter user was relying on being able to write to models/datasources within their Twig templates, they should instead use or create components to make changes to their models."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184: Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T20:54:41.797Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wintercms/winter/security/advisories/GHSA-xhw3-4j3m-hq53",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-xhw3-4j3m-hq53"
},
{
"name": "https://github.com/wintercms/winter/commit/fb88e6fabde3b3278ce1844e581c87dcf7daee22",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wintercms/winter/commit/fb88e6fabde3b3278ce1844e581c87dcf7daee22"
}
],
"source": {
"advisory": "GHSA-xhw3-4j3m-hq53",
"discovery": "UNKNOWN"
},
"title": "Winter CMS Modules allows a sandbox bypass in Twig templates leading to data modification and deletion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-54149",
"datePublished": "2024-12-09T20:54:41.797Z",
"dateReserved": "2024-11-29T18:02:16.756Z",
"dateUpdated": "2024-12-10T17:13:11.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29686 (GCVE-0-2024-29686)
Vulnerability from cvelistv5 – Published: 2024-03-29 00:00 – Updated: 2024-08-23 13:55 Disputed
VLAI?
Summary
Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. NOTE: the vendor disputes this because the payload could only be entered by a trusted user, such as the owner of the server that hosts Winter CMS, or a developer working for them.
Severity ?
7.2 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wintercms:winter:1.2.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "winter",
"vendor": "wintercms",
"versions": [
{
"status": "affected",
"version": "1.2.3"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29686",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-23T13:55:31.249487Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-97",
"description": "CWE-97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T13:55:48.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:55.494Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/51893"
},
{
"tags": [
"x_transferred"
],
"url": "https://forum.ksec.co.uk/t/webapps-winter-cms-1-2-3-server-side-template-injection-ssti-authenticated/2779"
},
{
"tags": [
"x_transferred"
],
"url": "https://wintercms.com/docs/v1.2/docs/cms/themes#template-structure"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. NOTE: the vendor disputes this because the payload could only be entered by a trusted user, such as the owner of the server that hosts Winter CMS, or a developer working for them."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-01T00:52:53.676560",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.exploit-db.com/exploits/51893"
},
{
"url": "https://forum.ksec.co.uk/t/webapps-winter-cms-1-2-3-server-side-template-injection-ssti-authenticated/2779"
},
{
"url": "https://wintercms.com/docs/v1.2/docs/cms/themes#template-structure"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-29686",
"datePublished": "2024-03-29T00:00:00",
"dateReserved": "2024-03-19T00:00:00",
"dateUpdated": "2024-08-23T13:55:48.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52085 (GCVE-0-2023-52085)
Vulnerability from cvelistv5 – Published: 2023-12-29 00:00 – Updated: 2024-08-02 22:48
VLAI?
Title
Winter CMS Local File Inclusion through Server Side Template Injection
Summary
Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:12.111Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/wintercms/winter/security/advisories/GHSA-2x7r-93ww-cxrq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-2x7r-93ww-cxrq"
},
{
"name": "https://github.com/wintercms/winter/commit/5bc9257fe2bc47d8b786a1b1bf96bafad23d8ddd",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wintercms/winter/commit/5bc9257fe2bc47d8b786a1b1bf96bafad23d8ddd"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "winter",
"vendor": "wintercms",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-29T00:00:03.968Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wintercms/winter/security/advisories/GHSA-2x7r-93ww-cxrq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-2x7r-93ww-cxrq"
},
{
"name": "https://github.com/wintercms/winter/commit/5bc9257fe2bc47d8b786a1b1bf96bafad23d8ddd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wintercms/winter/commit/5bc9257fe2bc47d8b786a1b1bf96bafad23d8ddd"
}
],
"source": {
"advisory": "GHSA-2x7r-93ww-cxrq",
"discovery": "UNKNOWN"
},
"title": "Winter CMS Local File Inclusion through Server Side Template Injection "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-52085",
"datePublished": "2023-12-29T00:00:03.968Z",
"dateReserved": "2023-12-26T17:23:22.236Z",
"dateUpdated": "2024-08-02T22:48:12.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52084 (GCVE-0-2023-52084)
Vulnerability from cvelistv5 – Published: 2023-12-28 22:15 – Updated: 2025-04-17 20:27
VLAI?
Title
Winter CMS Stored XSS through Backend ColorPicker FormWidget
Summary
Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issue has been patched in v1.2.4.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:12.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/wintercms/winter/security/advisories/GHSA-43w4-4j3c-jx29",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-43w4-4j3c-jx29"
},
{
"name": "https://github.com/wintercms/winter/commit/517f65dfae679b57575b047de13c5af48915a5ba",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wintercms/winter/commit/517f65dfae679b57575b047de13c5af48915a5ba"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52084",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-03T15:50:20.364956Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T20:27:13.689Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "winter",
"vendor": "wintercms",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issue has been patched in v1.2.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-28T22:15:59.952Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wintercms/winter/security/advisories/GHSA-43w4-4j3c-jx29",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-43w4-4j3c-jx29"
},
{
"name": "https://github.com/wintercms/winter/commit/517f65dfae679b57575b047de13c5af48915a5ba",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wintercms/winter/commit/517f65dfae679b57575b047de13c5af48915a5ba"
}
],
"source": {
"advisory": "GHSA-43w4-4j3c-jx29",
"discovery": "UNKNOWN"
},
"title": "Winter CMS Stored XSS through Backend ColorPicker FormWidget"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-52084",
"datePublished": "2023-12-28T22:15:59.952Z",
"dateReserved": "2023-12-26T17:23:22.236Z",
"dateUpdated": "2025-04-17T20:27:13.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52083 (GCVE-0-2023-52083)
Vulnerability from cvelistv5 – Published: 2023-12-28 22:11 – Updated: 2024-08-02 22:48
VLAI?
Title
Stored XSS through privileged upload of Media Manager file followed by renaming
Summary
Winter is a free, open-source content management system. Prior to 1.2.4, users with the `media.manage_media` permission can upload files to the Media Manager and rename them after uploading. Previously, media manager files were only sanitized on upload, not on renaming, which could have allowed a stored XSS attack. This issue has been patched in v1.2.4.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:12.132Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/wintercms/winter/security/advisories/GHSA-4wvw-75qh-fqjp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-4wvw-75qh-fqjp"
},
{
"name": "https://github.com/wintercms/winter/commit/2969daeea8dee64d292dbaa3778ea251e2a7e491",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wintercms/winter/commit/2969daeea8dee64d292dbaa3778ea251e2a7e491"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "winter",
"vendor": "wintercms",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Winter is a free, open-source content management system. Prior to 1.2.4, users with the `media.manage_media` permission can upload files to the Media Manager and rename them after uploading. Previously, media manager files were only sanitized on upload, not on renaming, which could have allowed a stored XSS attack. This issue has been patched in v1.2.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-28T22:11:55.494Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wintercms/winter/security/advisories/GHSA-4wvw-75qh-fqjp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-4wvw-75qh-fqjp"
},
{
"name": "https://github.com/wintercms/winter/commit/2969daeea8dee64d292dbaa3778ea251e2a7e491",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wintercms/winter/commit/2969daeea8dee64d292dbaa3778ea251e2a7e491"
}
],
"source": {
"advisory": "GHSA-4wvw-75qh-fqjp",
"discovery": "UNKNOWN"
},
"title": "Stored XSS through privileged upload of Media Manager file followed by renaming"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-52083",
"datePublished": "2023-12-28T22:11:55.494Z",
"dateReserved": "2023-12-26T17:23:22.236Z",
"dateUpdated": "2024-08-02T22:48:12.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37269 (GCVE-0-2023-37269)
Vulnerability from cvelistv5 – Published: 2023-07-07 21:19 – Updated: 2025-02-13 16:56
VLAI?
Title
Winter CMS vulnerable to stored XSS through privileged upload of SVG file
Summary
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Users with the `backend.manage_branding` permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a stored cross-site scripting (XSS) attack. To exploit the vulnerability, an attacker would already need to have developer or super user level permissions in Winter CMS. This means they would already have extensive access and control within the system. Additionally, to execute the XSS, the attacker would need to convince the victim to directly visit the URL of the maliciously uploaded SVG, and the application would have to be using local storage where uploaded files are served under the same domain as the application itself instead of a CDN. This is because all SVGs in Winter CMS are rendered through an `img` tag, which prevents any payloads from being executed directly. These two factors significantly limit the potential harm of this vulnerability. This issue has been patched in v1.2.3 through the inclusion of full support for SVG uploads and automatic sanitization of uploaded SVG files. As a workaround, one may apply the patches manually.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:09:34.099Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3"
},
{
"name": "https://github.com/wintercms/storm/commit/186d85d8fea2cae43afc807d39f68553c24e56be",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wintercms/storm/commit/186d85d8fea2cae43afc807d39f68553c24e56be"
},
{
"name": "https://github.com/wintercms/winter/commit/fa50b4c7489b67ea80072f8ac9fe5294fce1df1c",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wintercms/winter/commit/fa50b4c7489b67ea80072f8ac9fe5294fce1df1c"
},
{
"name": "https://github.com/wintercms/winter/releases/tag/v1.2.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wintercms/winter/releases/tag/v1.2.3"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/173520/WinterCMS-1.2.2-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "winter",
"vendor": "wintercms",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Users with the `backend.manage_branding` permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a stored cross-site scripting (XSS) attack. To exploit the vulnerability, an attacker would already need to have developer or super user level permissions in Winter CMS. This means they would already have extensive access and control within the system. Additionally, to execute the XSS, the attacker would need to convince the victim to directly visit the URL of the maliciously uploaded SVG, and the application would have to be using local storage where uploaded files are served under the same domain as the application itself instead of a CDN. This is because all SVGs in Winter CMS are rendered through an `img` tag, which prevents any payloads from being executed directly. These two factors significantly limit the potential harm of this vulnerability. This issue has been patched in v1.2.3 through the inclusion of full support for SVG uploads and automatic sanitization of uploaded SVG files. As a workaround, one may apply the patches manually."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T16:06:15.709Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3"
},
{
"name": "https://github.com/wintercms/storm/commit/186d85d8fea2cae43afc807d39f68553c24e56be",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wintercms/storm/commit/186d85d8fea2cae43afc807d39f68553c24e56be"
},
{
"name": "https://github.com/wintercms/winter/commit/fa50b4c7489b67ea80072f8ac9fe5294fce1df1c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wintercms/winter/commit/fa50b4c7489b67ea80072f8ac9fe5294fce1df1c"
},
{
"name": "https://github.com/wintercms/winter/releases/tag/v1.2.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wintercms/winter/releases/tag/v1.2.3"
},
{
"url": "http://packetstormsecurity.com/files/173520/WinterCMS-1.2.2-Cross-Site-Scripting.html"
}
],
"source": {
"advisory": "GHSA-wjw2-4j7j-6gc3",
"discovery": "UNKNOWN"
},
"title": "Winter CMS vulnerable to stored XSS through privileged upload of SVG file"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-37269",
"datePublished": "2023-07-07T21:19:38.971Z",
"dateReserved": "2023-06-29T19:35:26.438Z",
"dateUpdated": "2025-02-13T16:56:39.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39357 (GCVE-0-2022-39357)
Vulnerability from cvelistv5 – Published: 2022-10-26 00:00 – Updated: 2025-04-23 16:43
VLAI?
Title
Winter vulnerable to Prototype Pollution in Snowboard framework
Summary
Winter is a free, open-source content management system based on the Laravel PHP framework. The Snowboard framework in versions 1.1.8, 1.1.9, and 1.2.0 is vulnerable to prototype pollution in the main Snowboard class as well as its plugin loader. The 1.0 branch of Winter is not affected, as it does not contain the Snowboard framework. This issue has been patched in v1.1.10 and v1.2.1. As a workaround, one may avoid this issue by following some common security practices for JavaScript, including implementing a content security policy and auditing scripts.
Severity ?
8.1 (High)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.122Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-3fh5-q6fg-w28q"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/wintercms/winter/commit/2a13faf99972e84c9661258f16c4750fa99d29a1"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/wintercms/winter/commit/bce4b59584abf961e9400af3d7a4fd7638e26c7f"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/wintercms/winter/releases/tag/v1.1.10"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/wintercms/winter/releases/tag/v1.2.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39357",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:47:25.512688Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:43:01.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "winter",
"vendor": "wintercms",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.1.8, \u003c 1.1.10"
},
{
"status": "affected",
"version": "= 1.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Winter is a free, open-source content management system based on the Laravel PHP framework. The Snowboard framework in versions 1.1.8, 1.1.9, and 1.2.0 is vulnerable to prototype pollution in the main Snowboard class as well as its plugin loader. The 1.0 branch of Winter is not affected, as it does not contain the Snowboard framework. This issue has been patched in v1.1.10 and v1.2.1. As a workaround, one may avoid this issue by following some common security practices for JavaScript, including implementing a content security policy and auditing scripts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-26T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-3fh5-q6fg-w28q"
},
{
"url": "https://github.com/wintercms/winter/commit/2a13faf99972e84c9661258f16c4750fa99d29a1"
},
{
"url": "https://github.com/wintercms/winter/commit/bce4b59584abf961e9400af3d7a4fd7638e26c7f"
},
{
"url": "https://github.com/wintercms/winter/releases/tag/v1.1.10"
},
{
"url": "https://github.com/wintercms/winter/releases/tag/v1.2.1"
}
],
"source": {
"advisory": "GHSA-3fh5-q6fg-w28q",
"discovery": "UNKNOWN"
},
"title": "Winter vulnerable to Prototype Pollution in Snowboard framework"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39357",
"datePublished": "2022-10-26T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:43:01.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-54149 (GCVE-0-2024-54149)
Vulnerability from nvd – Published: 2024-12-09 20:54 – Updated: 2024-12-10 17:13
VLAI?
Title
Winter CMS Modules allows a sandbox bypass in Twig templates leading to data modification and deletion
Summary
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Winter CMS prior to versions 1.2.7, 1.1.11, and 1.0.476 allow users with access to the CMS templates sections that modify Twig files to bypass the sandbox placed on Twig files and modify resources such as theme customisation values or modify, or remove, templates in the theme even if not provided direct access via the permissions. As all objects passed through to Twig are references to the live objects, it is also possible to also manipulate model data if models are passed directly to Twig, including changing attributes or even removing records entirely. In most cases, this is unwanted behavior and potentially dangerous. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any of the following permissions: `cms.manage_layouts`; `cms.manage_pages`; or `cms.manage_partials`. The Winter CMS maintainers strongly recommend that these permissions only be reserved to trusted administrators and developers in general. The maintainers of Winter CMS have significantly increased the scope of the sandbox, effectively making all models and datasources read-only in Twig, in versions 1.2.7, 1.1.11, and 1.0.476. Thse who cannot upgrade may apply commit fb88e6fabde3b3278ce1844e581c87dcf7daee22 to their Winter CMS installation manually to resolve the issue. In the rare event that a Winter user was relying on being able to write to models/datasources within their Twig templates, they should instead use or create components to make changes to their models.
Severity ?
8.5 (High)
CWE
- CWE-184 - Incomplete List of Disallowed Inputs
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-54149",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-10T16:11:07.059128Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-10T17:13:11.005Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "winter",
"vendor": "wintercms",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.2.7"
},
{
"status": "affected",
"version": "\u003e= 1.1.0, \u003c 1.1.11"
},
{
"status": "affected",
"version": "\u003c 1.0.476"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Winter CMS prior to versions 1.2.7, 1.1.11, and 1.0.476 allow users with access to the CMS templates sections that modify Twig files to bypass the sandbox placed on Twig files and modify resources such as theme customisation values or modify, or remove, templates in the theme even if not provided direct access via the permissions. As all objects passed through to Twig are references to the live objects, it is also possible to also manipulate model data if models are passed directly to Twig, including changing attributes or even removing records entirely. In most cases, this is unwanted behavior and potentially dangerous. To actively exploit this security issue, an attacker would need access to the Backend with a user account with any of the following permissions: `cms.manage_layouts`; `cms.manage_pages`; or `cms.manage_partials`. The Winter CMS maintainers strongly recommend that these permissions only be reserved to trusted administrators and developers in general. The maintainers of Winter CMS have significantly increased the scope of the sandbox, effectively making all models and datasources read-only in Twig, in versions 1.2.7, 1.1.11, and 1.0.476. Thse who cannot upgrade may apply commit fb88e6fabde3b3278ce1844e581c87dcf7daee22 to their Winter CMS installation manually to resolve the issue. In the rare event that a Winter user was relying on being able to write to models/datasources within their Twig templates, they should instead use or create components to make changes to their models."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184: Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T20:54:41.797Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wintercms/winter/security/advisories/GHSA-xhw3-4j3m-hq53",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-xhw3-4j3m-hq53"
},
{
"name": "https://github.com/wintercms/winter/commit/fb88e6fabde3b3278ce1844e581c87dcf7daee22",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wintercms/winter/commit/fb88e6fabde3b3278ce1844e581c87dcf7daee22"
}
],
"source": {
"advisory": "GHSA-xhw3-4j3m-hq53",
"discovery": "UNKNOWN"
},
"title": "Winter CMS Modules allows a sandbox bypass in Twig templates leading to data modification and deletion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-54149",
"datePublished": "2024-12-09T20:54:41.797Z",
"dateReserved": "2024-11-29T18:02:16.756Z",
"dateUpdated": "2024-12-10T17:13:11.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29686 (GCVE-0-2024-29686)
Vulnerability from nvd – Published: 2024-03-29 00:00 – Updated: 2024-08-23 13:55 Disputed
VLAI?
Summary
Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. NOTE: the vendor disputes this because the payload could only be entered by a trusted user, such as the owner of the server that hosts Winter CMS, or a developer working for them.
Severity ?
7.2 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wintercms:winter:1.2.3:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "winter",
"vendor": "wintercms",
"versions": [
{
"status": "affected",
"version": "1.2.3"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-29686",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-23T13:55:31.249487Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-97",
"description": "CWE-97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T13:55:48.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:55.494Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/51893"
},
{
"tags": [
"x_transferred"
],
"url": "https://forum.ksec.co.uk/t/webapps-winter-cms-1-2-3-server-side-template-injection-ssti-authenticated/2779"
},
{
"tags": [
"x_transferred"
],
"url": "https://wintercms.com/docs/v1.2/docs/cms/themes#template-structure"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. NOTE: the vendor disputes this because the payload could only be entered by a trusted user, such as the owner of the server that hosts Winter CMS, or a developer working for them."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-01T00:52:53.676560",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.exploit-db.com/exploits/51893"
},
{
"url": "https://forum.ksec.co.uk/t/webapps-winter-cms-1-2-3-server-side-template-injection-ssti-authenticated/2779"
},
{
"url": "https://wintercms.com/docs/v1.2/docs/cms/themes#template-structure"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-29686",
"datePublished": "2024-03-29T00:00:00",
"dateReserved": "2024-03-19T00:00:00",
"dateUpdated": "2024-08-23T13:55:48.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52085 (GCVE-0-2023-52085)
Vulnerability from nvd – Published: 2023-12-29 00:00 – Updated: 2024-08-02 22:48
VLAI?
Title
Winter CMS Local File Inclusion through Server Side Template Injection
Summary
Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:12.111Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/wintercms/winter/security/advisories/GHSA-2x7r-93ww-cxrq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-2x7r-93ww-cxrq"
},
{
"name": "https://github.com/wintercms/winter/commit/5bc9257fe2bc47d8b786a1b1bf96bafad23d8ddd",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wintercms/winter/commit/5bc9257fe2bc47d8b786a1b1bf96bafad23d8ddd"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "winter",
"vendor": "wintercms",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-29T00:00:03.968Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wintercms/winter/security/advisories/GHSA-2x7r-93ww-cxrq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-2x7r-93ww-cxrq"
},
{
"name": "https://github.com/wintercms/winter/commit/5bc9257fe2bc47d8b786a1b1bf96bafad23d8ddd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wintercms/winter/commit/5bc9257fe2bc47d8b786a1b1bf96bafad23d8ddd"
}
],
"source": {
"advisory": "GHSA-2x7r-93ww-cxrq",
"discovery": "UNKNOWN"
},
"title": "Winter CMS Local File Inclusion through Server Side Template Injection "
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-52085",
"datePublished": "2023-12-29T00:00:03.968Z",
"dateReserved": "2023-12-26T17:23:22.236Z",
"dateUpdated": "2024-08-02T22:48:12.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52084 (GCVE-0-2023-52084)
Vulnerability from nvd – Published: 2023-12-28 22:15 – Updated: 2025-04-17 20:27
VLAI?
Title
Winter CMS Stored XSS through Backend ColorPicker FormWidget
Summary
Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issue has been patched in v1.2.4.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:12.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/wintercms/winter/security/advisories/GHSA-43w4-4j3c-jx29",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-43w4-4j3c-jx29"
},
{
"name": "https://github.com/wintercms/winter/commit/517f65dfae679b57575b047de13c5af48915a5ba",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wintercms/winter/commit/517f65dfae679b57575b047de13c5af48915a5ba"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52084",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-03T15:50:20.364956Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T20:27:13.689Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "winter",
"vendor": "wintercms",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issue has been patched in v1.2.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-28T22:15:59.952Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wintercms/winter/security/advisories/GHSA-43w4-4j3c-jx29",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-43w4-4j3c-jx29"
},
{
"name": "https://github.com/wintercms/winter/commit/517f65dfae679b57575b047de13c5af48915a5ba",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wintercms/winter/commit/517f65dfae679b57575b047de13c5af48915a5ba"
}
],
"source": {
"advisory": "GHSA-43w4-4j3c-jx29",
"discovery": "UNKNOWN"
},
"title": "Winter CMS Stored XSS through Backend ColorPicker FormWidget"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-52084",
"datePublished": "2023-12-28T22:15:59.952Z",
"dateReserved": "2023-12-26T17:23:22.236Z",
"dateUpdated": "2025-04-17T20:27:13.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52083 (GCVE-0-2023-52083)
Vulnerability from nvd – Published: 2023-12-28 22:11 – Updated: 2024-08-02 22:48
VLAI?
Title
Stored XSS through privileged upload of Media Manager file followed by renaming
Summary
Winter is a free, open-source content management system. Prior to 1.2.4, users with the `media.manage_media` permission can upload files to the Media Manager and rename them after uploading. Previously, media manager files were only sanitized on upload, not on renaming, which could have allowed a stored XSS attack. This issue has been patched in v1.2.4.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:12.132Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/wintercms/winter/security/advisories/GHSA-4wvw-75qh-fqjp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-4wvw-75qh-fqjp"
},
{
"name": "https://github.com/wintercms/winter/commit/2969daeea8dee64d292dbaa3778ea251e2a7e491",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wintercms/winter/commit/2969daeea8dee64d292dbaa3778ea251e2a7e491"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "winter",
"vendor": "wintercms",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Winter is a free, open-source content management system. Prior to 1.2.4, users with the `media.manage_media` permission can upload files to the Media Manager and rename them after uploading. Previously, media manager files were only sanitized on upload, not on renaming, which could have allowed a stored XSS attack. This issue has been patched in v1.2.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-28T22:11:55.494Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wintercms/winter/security/advisories/GHSA-4wvw-75qh-fqjp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-4wvw-75qh-fqjp"
},
{
"name": "https://github.com/wintercms/winter/commit/2969daeea8dee64d292dbaa3778ea251e2a7e491",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wintercms/winter/commit/2969daeea8dee64d292dbaa3778ea251e2a7e491"
}
],
"source": {
"advisory": "GHSA-4wvw-75qh-fqjp",
"discovery": "UNKNOWN"
},
"title": "Stored XSS through privileged upload of Media Manager file followed by renaming"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-52083",
"datePublished": "2023-12-28T22:11:55.494Z",
"dateReserved": "2023-12-26T17:23:22.236Z",
"dateUpdated": "2024-08-02T22:48:12.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-37269 (GCVE-0-2023-37269)
Vulnerability from nvd – Published: 2023-07-07 21:19 – Updated: 2025-02-13 16:56
VLAI?
Title
Winter CMS vulnerable to stored XSS through privileged upload of SVG file
Summary
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Users with the `backend.manage_branding` permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a stored cross-site scripting (XSS) attack. To exploit the vulnerability, an attacker would already need to have developer or super user level permissions in Winter CMS. This means they would already have extensive access and control within the system. Additionally, to execute the XSS, the attacker would need to convince the victim to directly visit the URL of the maliciously uploaded SVG, and the application would have to be using local storage where uploaded files are served under the same domain as the application itself instead of a CDN. This is because all SVGs in Winter CMS are rendered through an `img` tag, which prevents any payloads from being executed directly. These two factors significantly limit the potential harm of this vulnerability. This issue has been patched in v1.2.3 through the inclusion of full support for SVG uploads and automatic sanitization of uploaded SVG files. As a workaround, one may apply the patches manually.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:09:34.099Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3"
},
{
"name": "https://github.com/wintercms/storm/commit/186d85d8fea2cae43afc807d39f68553c24e56be",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wintercms/storm/commit/186d85d8fea2cae43afc807d39f68553c24e56be"
},
{
"name": "https://github.com/wintercms/winter/commit/fa50b4c7489b67ea80072f8ac9fe5294fce1df1c",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wintercms/winter/commit/fa50b4c7489b67ea80072f8ac9fe5294fce1df1c"
},
{
"name": "https://github.com/wintercms/winter/releases/tag/v1.2.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wintercms/winter/releases/tag/v1.2.3"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/173520/WinterCMS-1.2.2-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "winter",
"vendor": "wintercms",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Users with the `backend.manage_branding` permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a stored cross-site scripting (XSS) attack. To exploit the vulnerability, an attacker would already need to have developer or super user level permissions in Winter CMS. This means they would already have extensive access and control within the system. Additionally, to execute the XSS, the attacker would need to convince the victim to directly visit the URL of the maliciously uploaded SVG, and the application would have to be using local storage where uploaded files are served under the same domain as the application itself instead of a CDN. This is because all SVGs in Winter CMS are rendered through an `img` tag, which prevents any payloads from being executed directly. These two factors significantly limit the potential harm of this vulnerability. This issue has been patched in v1.2.3 through the inclusion of full support for SVG uploads and automatic sanitization of uploaded SVG files. As a workaround, one may apply the patches manually."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-17T16:06:15.709Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3"
},
{
"name": "https://github.com/wintercms/storm/commit/186d85d8fea2cae43afc807d39f68553c24e56be",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wintercms/storm/commit/186d85d8fea2cae43afc807d39f68553c24e56be"
},
{
"name": "https://github.com/wintercms/winter/commit/fa50b4c7489b67ea80072f8ac9fe5294fce1df1c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wintercms/winter/commit/fa50b4c7489b67ea80072f8ac9fe5294fce1df1c"
},
{
"name": "https://github.com/wintercms/winter/releases/tag/v1.2.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wintercms/winter/releases/tag/v1.2.3"
},
{
"url": "http://packetstormsecurity.com/files/173520/WinterCMS-1.2.2-Cross-Site-Scripting.html"
}
],
"source": {
"advisory": "GHSA-wjw2-4j7j-6gc3",
"discovery": "UNKNOWN"
},
"title": "Winter CMS vulnerable to stored XSS through privileged upload of SVG file"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-37269",
"datePublished": "2023-07-07T21:19:38.971Z",
"dateReserved": "2023-06-29T19:35:26.438Z",
"dateUpdated": "2025-02-13T16:56:39.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39357 (GCVE-0-2022-39357)
Vulnerability from nvd – Published: 2022-10-26 00:00 – Updated: 2025-04-23 16:43
VLAI?
Title
Winter vulnerable to Prototype Pollution in Snowboard framework
Summary
Winter is a free, open-source content management system based on the Laravel PHP framework. The Snowboard framework in versions 1.1.8, 1.1.9, and 1.2.0 is vulnerable to prototype pollution in the main Snowboard class as well as its plugin loader. The 1.0 branch of Winter is not affected, as it does not contain the Snowboard framework. This issue has been patched in v1.1.10 and v1.2.1. As a workaround, one may avoid this issue by following some common security practices for JavaScript, including implementing a content security policy and auditing scripts.
Severity ?
8.1 (High)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:44.122Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-3fh5-q6fg-w28q"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/wintercms/winter/commit/2a13faf99972e84c9661258f16c4750fa99d29a1"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/wintercms/winter/commit/bce4b59584abf961e9400af3d7a4fd7638e26c7f"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/wintercms/winter/releases/tag/v1.1.10"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/wintercms/winter/releases/tag/v1.2.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39357",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:47:25.512688Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T16:43:01.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "winter",
"vendor": "wintercms",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.1.8, \u003c 1.1.10"
},
{
"status": "affected",
"version": "= 1.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Winter is a free, open-source content management system based on the Laravel PHP framework. The Snowboard framework in versions 1.1.8, 1.1.9, and 1.2.0 is vulnerable to prototype pollution in the main Snowboard class as well as its plugin loader. The 1.0 branch of Winter is not affected, as it does not contain the Snowboard framework. This issue has been patched in v1.1.10 and v1.2.1. As a workaround, one may avoid this issue by following some common security practices for JavaScript, including implementing a content security policy and auditing scripts."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-26T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/wintercms/winter/security/advisories/GHSA-3fh5-q6fg-w28q"
},
{
"url": "https://github.com/wintercms/winter/commit/2a13faf99972e84c9661258f16c4750fa99d29a1"
},
{
"url": "https://github.com/wintercms/winter/commit/bce4b59584abf961e9400af3d7a4fd7638e26c7f"
},
{
"url": "https://github.com/wintercms/winter/releases/tag/v1.1.10"
},
{
"url": "https://github.com/wintercms/winter/releases/tag/v1.2.1"
}
],
"source": {
"advisory": "GHSA-3fh5-q6fg-w28q",
"discovery": "UNKNOWN"
},
"title": "Winter vulnerable to Prototype Pollution in Snowboard framework"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39357",
"datePublished": "2022-10-26T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-23T16:43:01.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}