PT-2026-24850 · Git+2 · Winter+1
Skyhex19
·
Publicado
2026-03-11
·
Atualizado
2026-03-13
·
CVE-2026-27591
CVSS v3.1
9.9
Crítica
| Vetor | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Winter CMS versions prior to 1.0.477
Winter CMS versions prior to 1.1.12
Winter CMS versions prior to 1.2.12
Description
Winter CMS, a content management system based on the Laravel PHP framework, had a flaw that allowed authenticated backend users to increase their access level within the system. This was achieved by sending specifically crafted requests to the backend, modifying the roles and permissions associated with their account. An attacker needed existing access to the backend with any user account to exploit this issue. The issue allows for privilege escalation.
Recommendations
Update to Winter CMS version 1.0.477 or later.
Update to Winter CMS version 1.1.12 or later.
Update to Winter CMS version 1.2.12 or later.
Exploit
Correção
LPE
IDOR
Improper Access Control
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Winter
Winter/Wn-Backend-Module