CVE-2024-29686

Name of the Vulnerable Software and Affected Versions Winter CMS version 1.2.3

Description A Server-side Template Injection (SSTI) issue allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. The vendor disputes this vulnerability, stating that the payload could only be entered by a trusted user, such as the server owner or a developer.

Recommendations For Winter CMS version 1.2.3, as a temporary workaround, consider restricting access to the CMS Pages field and Plugin components to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.