CVE-2023-52084

MEDIUM WAF: High

CVSS 5.4 Published: 2023-12-28

CWE-79

Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issue has been patched in v1.2.4.

WAF Coverage Analysis

Cross-Site Scripting (XSS) High WAF Coverage

OWASP: A03:2021 Injection

941xxx - XSS / XXE

Affected Software

Vendor	Product	Version
wintercms	winter	up to 1.2.4

References

github.com (Patch)
github.com (Patch, Vendor Advisory)

Back to CVE Database