cbcvebase.
CVE-2023-52085
published 2023-12-29

CVE-2023-52085: Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that…

PriorityP348medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EXPLOIT
EPSS
30.17%
98.0th percentile
Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4.

Affected

2 ranges
VendorProductVersion rangeFixed in
winterwn-backend-module>= 0 < 1.2.41.2.4
wintercmswinter< 1.2.41.2.4
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.