CVE-2023-52085
MEDIUM WAF: High
CVSS 5.4
Published: 2023-12-29
CWE-22
Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4.
WAF Coverage Analysis
Path Traversal
High WAF Coverage
OWASP: A01:2021 Broken Access Control
930xxx - Local File Inclusion
Affected Software
| Vendor | Product | Version |
|---|---|---|
| wintercms | winter | up to 1.2.4 |
References
- github.com (Patch)
- github.com (Patch, Vendor Advisory)