Veracode Vulnerability DatabaseVERACODE:41286Cross-Site Scripting (XSS)
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
73.3%
wintercms/winter and winter/storm are vulnerable to Cross-Site Scripting (XSS) attacks. The library does not properly escape user input, which allows an attacker with backend.manage_branding permissions to upload SVGs as the application logo and execute malicious javascript on victim’s browser.
References
packetstormsecurity.com/files/173520/WinterCMS-1.2.2-Cross-Site-Scripting.html
github.com/advisories/GHSA-wjw2-4j7j-6gc3
github.com/wintercms/storm/commit/186d85d8fea2cae43afc807d39f68553c24e56be
github.com/wintercms/winter/commit/fa50b4c7489b67ea80072f8ac9fe5294fce1df1c
github.com/wintercms/winter/releases/tag/v1.2.3
github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
73.3%