Sanineng

#47415of 53,632
5.3Total CVSS
Vulnerabilities · 2
Low
2
PT-2023-31916
2.0
2023-12-28
Unknown · Winter Cms · CVE-2023-52084
**Name of the Vulnerable Software and Affected Versions** Winter CMS versions prior to 1.2.4 **Description** The issue affects users with access to backend forms that include a ColorPicker FormWidget, allowing them to provide a value that would then be rendered unescaped in the backend form, potentially leading to a stored XSS attack. Although the severity of this issue is relatively low, exploitation requires an attacker to have trusted access to the Winter CMS backend and convince a user with higher privileges to visit an affected form. The vulnerability has been patched in version 1.2.4. **Recommendations** For Winter CMS versions prior to 1.2.4, update to version 1.2.4 to ensure the system remains secure. As a temporary workaround, consider manually applying the patch from https://github.com/wintercms/winter/commit/517f65dfae679b57575b047de13c5af48915a5ba if unable to upgrade to version 1.2.4. Restrict access to backend forms that include the ColorPicker FormWidget to minimize the risk of exploitation.
PT-2023-31917
3.3
2023-12-28
Unknown · Winter Cms · CVE-2023-52085
**Name of the Vulnerable Software and Affected Versions** Winter CMS versions prior to 1.2.4 **Description** The issue concerns a Local File Inclusion vulnerability in Winter CMS, a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. The vulnerability is related to the `ColorPicker FormWidget` and the compilation of custom stylesheets via LESS. **Recommendations** For versions prior to 1.2.4, update to version 1.2.4 to resolve the issue. As a temporary workaround, consider disabling the `ColorPicker FormWidget` in backend forms until a patch is available. Apply the patch from https://github.com/wintercms/winter/commit/5bc9257fe2bc47d8b786a1b1bf96bafad23d8ddd manually if unable to upgrade to v1.2.4. Restrict access to the `Theme Customization` form and other forms that include the `ColorPicker FormWidget` to minimize the risk of exploitation.