CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

20 matches found

EUVD•added 2025/10/07 12:30 a.m.•1 views

EUVD-2020-0645

Malware in sbrugna...

4.8CVSS4.9AI score0.00917EPSS

Exploits3References8

OSV•added 2024/01/02 2:10 p.m.•13 views

GHSA-2X7R-93WW-CXRQ Winter CMS Local File Inclusion through Server Side Template Injection

Impact Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. By default, only th...

3.3CVSS5.3AI score0.39738EPSS

Exploits0References4

Veracode•added 2023/12/29 8:38 a.m.•15 views

Local File Inclusion

Winter CMS is vulnerable to Local File Inclusion. The vulnerability is due to improper user input validation within the ColorPicker FormWidget. This issue can be exploited by an attacker with access to the backend forms by including a malicious custom stylesheets via LESS in the ColorPicker...

5.4CVSS6.8AI score0.39738EPSS

Exploits0References2Affected Software1

NVD•added 2023/12/29 12:15 a.m.•7 views

CVE-2023-52085

Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local...

5.4CVSS0.39738EPSS

Exploits0References2

Prion•added 2023/12/29 12:15 a.m.•14 views

Use after free

5.5CVSS7AI score0.39738EPSS

Exploits0References2Affected Software1

OSV•added 2023/12/29 12:0 a.m.•11 views

CVE-2023-52085 Winter CMS Local File Inclusion through Server Side Template Injection

3.3CVSS5.3AI score0.39738EPSS

Exploits0References4

CVE•added 2023/12/29 12:0 a.m.•59 views

CVE-2023-52085

Winter CMS before 1.2.4 is vulnerable to Local File Inclusion through the ColorPicker FormWidget when backend forms pass values to LESS compilation. The root cause is unprocessed user input being included in generated stylesheets, enabling potential local file exposure. Affected component: ColorP...

5.4CVSS4.5AI score0.39738EPSS

Exploits0References2Affected Software1

NVD•added 2023/12/28 11:15 p.m.•8 views

CVE-2023-52084

Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issue has been patche...

5.4CVSS0.00316EPSS

Exploits0References2

Github Security Blog•added 2023/12/28 10:32 p.m.•22 views

Winter CMS Stored XSS through Backend ColorPicker FormWidget

Impact Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. By default, only the Brand Settings backend.managebranding and Mail Brand Settings...

5.4CVSS5.8AI score0.00316EPSS

Exploits0References4Affected Software1

OSV•added 2023/12/28 10:32 p.m.•20 views

GHSA-43W4-4J3C-JX29 Winter CMS Stored XSS through Backend ColorPicker FormWidget

2CVSS4.3AI score0.00316EPSS

Exploits0References4

Cvelist•added 2023/12/28 10:15 p.m.•13 views

CVE-2023-52084 Winter CMS Stored XSS through Backend ColorPicker FormWidget

2CVSS5.3AI score0.00316EPSS

Exploits0References2

CVE•added 2023/12/28 10:15 p.m.•43 views

CVE-2023-52084

Winter CMS Stored XSS (CVE-2023-52084) : The vulnerability is in Winter CMS prior to 1.2.4 where a value entered in backend forms using the ColorPicker FormWidget could be rendered unescaped, enabling stored XSS. Affected: versions before 1.2.4; root cause: unescaped rendering of input in backend...

5.4CVSS4.3AI score0.00316EPSS

Exploits0References2Affected Software1

Positive Technologies•added 2023/12/28 12:0 a.m.•2 views

PT-2023-31917 · Unknown · Winter Cms

Name of the Vulnerable Software and Affected Versions: Winter CMS versions prior to 1.2.4 Description: The issue concerns a Local File Inclusion vulnerability in Winter CMS, a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can...

5.4CVSS5.3AI score0.39738EPSS

Exploits0References10

Github Security Blog•added 2020/08/05 2:52 p.m.•27 views

Stored XSS in October

Impact A user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. Patches Issue has been patched in Build 466 v1.0.466 & RainLab.Blog v1.4.1 by restricting the...

4.8CVSS0.2AI score0.00917EPSS

Exploits3References7Affected Software1

OSV•added 2020/08/05 2:52 p.m.•16 views

GHSA-W4PJ-7P68-3VGV Stored XSS in October

3.5CVSS4.8AI score0.00917EPSS

Exploits3References6

Veracode•added 2020/07/15 3:27 a.m.•13 views

Cross-site Scripting (XSS)

october/october is vulnerable to cross-site scripting XSS. The vulnerability exists as the FormWidget markdown fields could have been used to store unsanitized input...

4.8CVSS1.4AI score0.00917EPSS

Exploits3References5Affected Software2

NVD•added 2020/07/14 9:15 p.m.•8 views

CVE-2020-11083

In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This has been fixed in 1.0.466. For users...

4.8CVSS0.00917EPSS

Exploits3References5

OSV•added 2020/07/14 9:15 p.m.•8 views

CVE-2020-11083

4.8CVSS5.8AI score

Exploits0References5

Prion•added 2020/07/14 9:15 p.m.•11 views

Cross site scripting

3.5CVSS4.6AI score0.00917EPSS

Exploits3References5Affected Software1

Cvelist•added 2020/07/14 8:55 p.m.•10 views

CVE-2020-11083 Stored XSS in October