Iamunixtz

**Name of the Vulnerable Software and Affected Versions** Winter CMS versions prior to 1.2.10 **Description** Winter CMS versions before 1.2.10 allow users with access to the CMS Asset Manager to upload Scalable Vector Graphics (SVGs) without proper sanitization. An attacker needs access to the Backend with a user account possessing the `cms.manage assets` permission to exploit this issue. The `cms.manage assets` permission should be restricted to trusted administrators and developers. **Recommendations** Upgrade to Winter CMS version 1.2.10 or later. As a workaround, apply commit 8a7f74b004fcd19721764fc63af0cdb339d9fb65 to your Winter CMS installation manually. Restrict the `cms.manage assets` permission to trusted administrators and developers.