Lucene search
K

229 matches found

OSV
OSV
added 2023/12/28 10:11 p.m.33 views

CVE-2023-52083 Stored XSS through privileged upload of Media Manager file followed by renaming

Winter is a free, open-source content management system. Prior to 1.2.4, users with the media.managemedia permission can upload files to the Media Manager and rename them after uploading. Previously, media manager files were only sanitized on upload, not on renaming, which could have allowed a...

2CVSS4.8AI score0.00311EPSS
Exploits0References4
CVE
CVE
added 2023/12/28 10:11 p.m.54 views

CVE-2023-52083

CVE-2023-52083 affects Winter CMS. Before 1.2.4, users with the media.manage_media permission could upload files to the Media Manager and rename them after upload, with sanitization only on upload (not on rename), allowing a stored XSS vulnerability. The issue has been patched in v1.2.4.

4.8CVSS4.1AI score0.00311EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2023/12/28 10:11 p.m.34 views

CVE-2023-52083 Stored XSS through privileged upload of Media Manager file followed by renaming

Winter is a free, open-source content management system. Prior to 1.2.4, users with the media.managemedia permission can upload files to the Media Manager and rename them after uploading. Previously, media manager files were only sanitized on upload, not on renaming, which could have allowed a...

2CVSS5AI score0.00311EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2023/12/28 12:0 a.m.7 views

PT-2023-31916 · Unknown · Winter Cms

Name of the Vulnerable Software and Affected Versions: Winter CMS versions prior to 1.2.4 Description: The issue affects users with access to backend forms that include a ColorPicker FormWidget, allowing them to provide a value that would then be rendered unescaped in the backend form, potentiall...

5.4CVSS5AI score0.00309EPSS
Exploits0References10
CNNVD
CNNVD
added 2023/12/28 12:0 a.m.7 views

Winter Cross-Site Scripting Vulnerability

Winter is a free, open source, self-hosted CMS platform based on the Laravel PHP framework. A cross-site scripting vulnerability exists in Winter versions prior to 1.2.4, which stems from the presence of a stored cross-site scripting XSS vulnerability...

4.8CVSS5.8AI score0.00311EPSS
Exploits0References3
CNNVD
CNNVD
added 2023/12/28 12:0 a.m.5 views

Winter Cross-Site Scripting Vulnerability

Winter is a free, open source, self-hosted CMS platform based on the Laravel PHP framework. A cross-site scripting vulnerability exists in Winter versions prior to 1.2.4, which stems from the presence of a stored cross-site scripting XSS vulnerability...

5.4CVSS5.8AI score0.00309EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2023/12/28 12:0 a.m.6 views

PT-2023-31917 · Unknown · Winter Cms

Name of the Vulnerable Software and Affected Versions: Winter CMS versions prior to 1.2.4 Description: The issue concerns a Local File Inclusion vulnerability in Winter CMS, a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can...

5.4CVSS5.3AI score0.30166EPSS
Exploits0References10
Packet Storm
Packet Storm
added 2023/12/07 12:0 a.m.132 views

Winter CMS 1.2.2 Server-Side Template Injection

Exploit Title: Winter CMS 1.2.2 / 1.2.3 - Server-Side Template Injection SSTI Authenticated Exploit Author: tmrswrr Date: 12/05/2023 Vendor: https://wintercms.com/ Software Link: https://github.com/wintercms/winter/releases/v1.2.2 Vulnerable Versions: 1.2.2 / 1.2.3 Tested :...

7.4AI score
Exploits0
0day.today
0day.today
added 2023/12/07 12:0 a.m.307 views

Winter CMS 1.2.2 / 1.2.3 Server-Side Template Injection Vulnerability

Exploit Title: Winter CMS 1.2.2 / 1.2.3 - Server-Side Template Injection SSTI Authenticated Exploit Author: tmrswrr Date: 12/05/2023 Vendor: https://wintercms.com/ Software Link: https://github.com/wintercms/winter/releases/v1.2.2 Vulnerable Versions: 1.2.2 / 1.2.3 Tested :...

7.4AI score
Exploits0
Packet Storm
Packet Storm
added 2023/12/06 12:0 a.m.451 views

Winter CMS 1.2.2 Server-Side Template Injection

Exploit Title: Winter CMS 1.2.2 - Server-Side Template Injection SSTI Authenticated Exploit Author: tmrswrr Date: 12/05/2023 Vendor: https://wintercms.com/ Software Link: https://github.com/wintercms/winter/releases/v1.2.2 Vulnerable Versions: 1.2.2 Tested :...

7.4AI score
Exploits0
hivepro
hivepro
added 2023/10/31 5:56 a.m.41 views

Attacks, Vulnerabilities and Actors 23 October to 29 October 2023

For a detailed threat digest, download the pdf file here Summary HiveForce Labs has recently made several significant discoveries related to cybersecurity threats. Over the past week, we identified a total of seven executed attacks, two instances of adversary activity, and three exploited...

4.9CVSS7.4AI score0.75873EPSS
Exploits2
hivepro
hivepro
added 2023/10/27 7:45 a.m.50 views

Winter Vivern Capitalizes on Zero-Day Flaw in Roundcube

Threat Level Attack Report For a detailed threat advisory, download the pdf file here Summary The Winter Vivern cyberespionage group has been actively exploiting a zero-day vulnerability in the Roundcube webmail. The identified vulnerability, CVE-2023-5631, permits stored cross-site scripting...

4.9CVSS6.6AI score0.75873EPSS
Exploits2
The Hacker News
The Hacker News
added 2023/10/25 1:20 p.m.79 views

Nation State Hackers Exploiting Zero-Day in Roundcube Webmail Software

The threat actor known as Winter Vivern has been observed exploiting a zero-day flaw in Roundcube webmail software on October 11, 2023, to harvest email messages from victims' accounts. "Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube," ESET security...

6.1CVSS5.8AI score0.75873EPSS
Exploits3
HackRead
HackRead
added 2023/10/25 12:5 p.m.28 views

APT Winter Vivern Exploits New Roundcube 0-Day to Target European Entities

By Waqas ESET Research Uncovers New Targeted Campaign Impacting European Governments and Think Tanks. This is a post from HackRead.com Read the original post: APT Winter Vivern Exploits New Roundcube 0-Day to Target European Entities...

7AI score
Exploits0
The Hacker News
The Hacker News
added 2023/08/11 2:23 p.m.33 views

Researchers Uncover Years-Long Cyber Espionage on Foreign Embassies in Belarus

A hitherto undocumented threat actor operating for nearly a decade and codenamed MoustachedBouncer has been attributed to cyber espionage attacks aimed at foreign embassies in Belarus. "Since 2020, MoustachedBouncer has most likely been able to perform adversary-in-the-middle AitM attacks at the...

7.3AI score
Exploits0
Veracode
Veracode
added 2023/07/14 8:44 a.m.18 views

Cross-Site Scripting (XSS)

wintercms/winter and winter/storm are vulnerable to Cross-Site Scripting XSS attacks. The library does not properly escape user input, which allows an attacker with backend.managebranding permissions to upload SVGs as the application logo and execute malicious javascript on victim's browser...

4.8CVSS6.2AI score0.027EPSS
Exploits4References6Affected Software2
NVD
NVD
added 2023/07/07 10:15 p.m.46 views

CVE-2023-37269

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Users with the backend.managebranding permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a stored cross-site scripting...

4.8CVSS4.4AI score0.027EPSS
Exploits4References5
Prion
Prion
added 2023/07/07 10:15 p.m.16 views

Cross site scripting

Winter is a free, open-source content management system CMS based on the Laravel PHP framework. Users with the backend.managebranding permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a stored cross-site scripting...

4.3CVSS4.8AI score0.027EPSS
Exploits4References5Affected Software1
OSV
OSV
added 2023/07/07 9:20 p.m.11 views

GHSA-WJW2-4J7J-6GC3 Winter CMS stored XSS through privileged upload of SVG file

Impact Users with the backend.managebranding permission can upload SVGs as the application logo. Previously, SVG uploads were not sanitized, which could have allowed a stored XSS attack. Although this was a security issue, it's important to note that its severity is low. To exploit the...

2CVSS4.3AI score0.027EPSS
Exploits4References7
Github Security Blog
Github Security Blog
added 2023/07/07 9:20 p.m.37 views

Winter CMS stored XSS through privileged upload of SVG file

Impact Users with the backend.managebranding permission can upload SVGs as the application logo. Previously, SVG uploads were not sanitized, which could have allowed a stored XSS attack. Although this was a security issue, it's important to note that its severity is low. To exploit the...

4.8CVSS6.2AI score0.027EPSS
Exploits4References7Affected Software1
Rows per page
Query Builder