GitHub_MCVELIST:CVE-2023-52085CVE-2023-52085 Winter CMS Local File Inclusion through Server Side Template Injection
3.3 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
5.6 Medium
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
67.8%
Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4.
CNA Affected
[
{
"vendor": "wintercms",
"product": "winter",
"versions": [
{
"version": "< 1.2.4",
"status": "affected"
}
]
}
]Related
3.3 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
5.6 Medium
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
67.8%