VulnerableCode Package Details - pkg:composer/wintercms/winter@1.2.4

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-5xr1-7ygw-3bbc	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4.	CVE-2023-52085 GHSA-2x7r-93ww-cxrq
VCID-az9d-6cx4-h3bk	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Winter is a free, open-source content management system. Prior to 1.2.4, users with the `media.manage_media` permission can upload files to the Media Manager and rename them after uploading. Previously, media manager files were only sanitized on upload, not on renaming, which could have allowed a stored XSS attack. This issue has been patched in v1.2.4.	CVE-2023-52083 GHSA-4wvw-75qh-fqjp
VCID-rw7w-16uk-eqfv	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issue has been patched in v1.2.4.	CVE-2023-52084 GHSA-43w4-4j3c-jx29
VCID-vym1-uam4-v3ff	Winter CMS Server-Side Template Injection (SSTI) vulnerability Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components.	CVE-2024-29686 GHSA-8r5j-gm3j-cx9c

Vulnerability

Summary

Aliases

VCID-5xr1-7ygw-3bbc

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4.

CVE-2023-52085
GHSA-2x7r-93ww-cxrq

VCID-az9d-6cx4-h3bk

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Winter is a free, open-source content management system. Prior to 1.2.4, users with the `media.manage_media` permission can upload files to the Media Manager and rename them after uploading. Previously, media manager files were only sanitized on upload, not on renaming, which could have allowed a stored XSS attack. This issue has been patched in v1.2.4.

CVE-2023-52083
GHSA-4wvw-75qh-fqjp

VCID-rw7w-16uk-eqfv

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issue has been patched in v1.2.4.

CVE-2023-52084
GHSA-43w4-4j3c-jx29

VCID-vym1-uam4-v3ff

Winter CMS Server-Side Template Injection (SSTI) vulnerability Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components.

CVE-2024-29686
GHSA-8r5j-gm3j-cx9c

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T04:47:38.762513+00:00	GitLab Importer	Fixing	VCID-vym1-uam4-v3ff	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/wintercms/winter/CVE-2024-29686.yml	38.6.0
2026-06-02T04:46:45.644631+00:00	GitLab Importer	Fixing	VCID-5xr1-7ygw-3bbc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/wintercms/winter/CVE-2023-52085.yml	38.6.0
2026-06-02T04:46:45.151311+00:00	GitLab Importer	Fixing	VCID-rw7w-16uk-eqfv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/wintercms/winter/CVE-2023-52084.yml	38.6.0
2026-06-02T04:46:45.087267+00:00	GitLab Importer	Fixing	VCID-az9d-6cx4-h3bk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/wintercms/winter/CVE-2023-52083.yml	38.6.0