CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
High
EPSS
Percentile
14.0%
Winter CMS is vulnerable to Stored Cross Site Scripting (XSS). The vulnerability is due to improper sanitization within the rename functionality of files after uploads to the Media Manager. This issue can be exploited by an attacker with the media.manage_media
permission to upload a file and later rename them to malicious payload to inject JavaScript into the application.