CVE-2023-52085

Name of the Vulnerable Software and Affected Versions Winter CMS versions prior to 1.2.4

Description The issue concerns a Local File Inclusion vulnerability in Winter CMS, a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. The vulnerability is related to the ColorPicker FormWidget and the compilation of custom stylesheets via LESS.

Recommendations For versions prior to 1.2.4, update to version 1.2.4 to resolve the issue. As a temporary workaround, consider disabling the ColorPicker FormWidget in backend forms until a patch is available. Apply the patch from https://github.com/wintercms/winter/commit/5bc9257fe2bc47d8b786a1b1bf96bafad23d8ddd manually if unable to upgrade to v1.2.4. Restrict access to the Theme Customization form and other forms that include the ColorPicker FormWidget to minimize the risk of exploitation.