2 matches found
CVE-2023-52085 Winter CMS Local File Inclusion through Server Side Template Injection
Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local...
CVE-2023-52085
Winter CMS before 1.2.4 is vulnerable to Local File Inclusion through the ColorPicker FormWidget when backend forms pass values to LESS compilation. The root cause is unprocessed user input being included in generated stylesheets, enabling potential local file exposure. Affected component: ColorP...