Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issue has been patched in v1.2.4.
References
Link | Resource |
---|---|
https://github.com/wintercms/winter/commit/517f65dfae679b57575b047de13c5af48915a5ba | Patch |
https://github.com/wintercms/winter/security/advisories/GHSA-43w4-4j3c-jx29 | Patch Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-12-28T22:15:59.952Z
Updated: 2023-12-28T22:15:59.952Z
Reserved: 2023-12-26T17:23:22.236Z
Link: CVE-2023-52084
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-12-28T23:15:43.777
Modified: 2024-01-05T00:08:19.287
Link: CVE-2023-52084
JSON object: View
Redhat Information
No data.
CWE