CVE-2023-52084

Опубликовано: 28 дек. 2023

Источник: nvd

CVSS3: 2

CVSS3: 5.4

EPSS Низкий

Описание

Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issue has been patched in v1.2.4.

Ссылки

https://github.com/wintercms/winter/commit/517f65dfae679b57575b047de13c5af48915a5ba
Patch
https://github.com/wintercms/winter/security/advisories/GHSA-43w4-4j3c-jx29
Patch
Vendor Advisory
https://github.com/wintercms/winter/commit/517f65dfae679b57575b047de13c5af48915a5ba
Patch
https://github.com/wintercms/winter/security/advisories/GHSA-43w4-4j3c-jx29
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*

Версия до 1.2.4 (исключая)

EPSS

Процентиль: 54%

0.00316

Низкий

2 Low

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-43w4-4j3c-jx29

CVSS3: 2

github

около 2 лет назад

Winter CMS Stored XSS through Backend ColorPicker FormWidget

EPSS

Процентиль: 54%

0.00316

Низкий

2 Low

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79