Winter Security Vulnerabilities and Issues — Winter CVE List

Lucene search

WintercmsWinter

7 matches found

CVE•added 2024/03/29 4:15 p.m.•75 views

CVE-2024-29686

Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. NOTE: the vendor disputes this because the payload could only be entered by a trusted user, such as the ow...

7.2CVSS7.9AI score0.02723EPSS

CVE•added 2022/10/26 3:15 p.m.•67 views

CVE-2022-39357

Winter is a free, open-source content management system based on the Laravel PHP framework. The Snowboard framework in versions 1.1.8, 1.1.9, and 1.2.0 is vulnerable to prototype pollution in the main Snowboard class as well as its plugin loader. The 1.0 branch of Winter is not affected, as it does...

9.8CVSS8.9AI score0.0013EPSS

CVE•added 2024/12/09 9:15 p.m.•45 views

CVE-2024-54149

Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Winter CMS prior to versions 1.2.7, 1.1.11, and 1.0.476 allow users with access to the CMS templates sections that modify Twig files to bypass the sandbox placed on Twig files and modify resources such...

8.4CVSS8.8AI score0.00083EPSS

CVE•added 2023/07/07 10:15 p.m.•43 views

CVE-2023-37269

Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Users with the backend.manage_branding permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a stored cross-site scripting...

4.8CVSS4.4AI score0.0094EPSS

CVE•added 2023/12/29 12:15 a.m.•39 views

CVE-2023-52085

Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local F...

5.4CVSS4.5AI score0.44908EPSS

CVE•added 2023/12/28 11:15 p.m.•25 views

CVE-2023-52083

Winter is a free, open-source content management system. Prior to 1.2.4, users with the media.manage_media permission can upload files to the Media Manager and rename them after uploading. Previously, media manager files were only sanitized on upload, not on renaming, which could have allowed a sto...

4.8CVSS4.1AI score0.0036EPSS

CVE•added 2023/12/28 11:15 p.m.•25 views

CVE-2023-52084

Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issue has been patched ...

5.4CVSS4.3AI score0.00316EPSS