← volver
CVE-2023-52084

Winter CMS Stored XSS through Backend ColorPicker FormWidget

CVSS 2 LOWEPSS 0.3%CWE-79
Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issue has been patched in v1.2.4.
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
Productos afectados
wintercms · winter

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/wintercms/winter/commit/517f65dfae679b57575b047de13c5af48915a5bahttps://github.com/wintercms/winter/security/advisories/GHSA-43w4-4j3c-jx29