CVE-2023-52085

Опубликовано: 29 дек. 2023

Источник: nvd

CVSS3: 3.3

CVSS3: 5.4

EPSS Средний

Описание

Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4.

Ссылки

https://github.com/wintercms/winter/commit/5bc9257fe2bc47d8b786a1b1bf96bafad23d8ddd
Patch
https://github.com/wintercms/winter/security/advisories/GHSA-2x7r-93ww-cxrq
Patch
Vendor Advisory
https://github.com/wintercms/winter/commit/5bc9257fe2bc47d8b786a1b1bf96bafad23d8ddd
Patch
https://github.com/wintercms/winter/security/advisories/GHSA-2x7r-93ww-cxrq
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*

Версия до 1.2.4 (исключая)

EPSS

Процентиль: 97%

0.38122

Средний

3.3 Low

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-22

Связанные уязвимости

GHSA-2x7r-93ww-cxrq

CVSS3: 3.3

github

около 2 лет назад

Winter CMS Local File Inclusion through Server Side Template Injection

EPSS

Процентиль: 97%

0.38122

Средний

3.3 Low

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-22