CVE-2023-52084

Name of the Vulnerable Software and Affected Versions Winter CMS versions prior to 1.2.4

Description The issue affects users with access to backend forms that include a ColorPicker FormWidget, allowing them to provide a value that would then be rendered unescaped in the backend form, potentially leading to a stored XSS attack. Although the severity of this issue is relatively low, exploitation requires an attacker to have trusted access to the Winter CMS backend and convince a user with higher privileges to visit an affected form. The vulnerability has been patched in version 1.2.4.

Recommendations For Winter CMS versions prior to 1.2.4, update to version 1.2.4 to ensure the system remains secure. As a temporary workaround, consider manually applying the patch from https://github.com/wintercms/winter/commit/517f65dfae679b57575b047de13c5af48915a5ba if unable to upgrade to version 1.2.4. Restrict access to backend forms that include the ColorPicker FormWidget to minimize the risk of exploitation.