CVE-2023-37269

Name of the Vulnerable Software and Affected Versions Winter CMS versions prior to 1.2.3

Description The issue concerns a stored cross-site scripting (XSS) attack that could be executed by uploading malicious SVG files as the application logo. Users with the backend.manage branding permission can upload SVGs. To exploit this, an attacker would need developer or super user level permissions and convince the victim to visit the URL of the malicious SVG directly. The application must also use local storage, serving uploaded files under the same domain instead of a CDN, because SVGs are rendered through an img tag, preventing direct payload execution. These factors limit the potential harm.

Recommendations For versions prior to 1.2.3, update to version 1.2.3 to patch the issue through the inclusion of full support for SVG uploads and automatic sanitization of uploaded SVG files. As a temporary workaround, apply the patches manually from the provided GitHub commits.