Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/wintercms/winter@1.1.10
Typecomposer
Namespacewintercms
Namewinter
Version1.1.10
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.2.4
Latest_non_vulnerable_version1.2.4
Affected_by_vulnerabilities
0
url VCID-5xr1-7ygw-3bbc
vulnerability_id VCID-5xr1-7ygw-3bbc
summary 
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-52085
reference_id
reference_type
scores
0
value 0.39738
scoring_system epss
scoring_elements 0.97401
published_at 2026-06-09T12:55:00Z
1
value 0.39738
scoring_system epss
scoring_elements 0.974
published_at 2026-06-07T12:55:00Z
2
value 0.39738
scoring_system epss
scoring_elements 0.97399
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-52085
1
reference_url https://github.com/wintercms/winter
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/wintercms/winter
2
reference_url https://github.com/wintercms/winter/commit/5bc9257fe2bc47d8b786a1b1bf96bafad23d8ddd
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/wintercms/winter/commit/5bc9257fe2bc47d8b786a1b1bf96bafad23d8ddd
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-52085
reference_id CVE-2023-52085
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-52085
4
reference_url https://github.com/advisories/GHSA-2x7r-93ww-cxrq
reference_id GHSA-2x7r-93ww-cxrq
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2x7r-93ww-cxrq
5
reference_url https://github.com/wintercms/winter/security/advisories/GHSA-2x7r-93ww-cxrq
reference_id GHSA-2x7r-93ww-cxrq
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/wintercms/winter/security/advisories/GHSA-2x7r-93ww-cxrq
fixed_packages
0
url pkg:composer/wintercms/winter@1.2.4
purl pkg:composer/wintercms/winter@1.2.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/wintercms/winter@1.2.4
aliases CVE-2023-52085, GHSA-2x7r-93ww-cxrq
risk_score 1.5
exploitability 0.5
weighted_severity 3.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5xr1-7ygw-3bbc
1
url VCID-az9d-6cx4-h3bk
vulnerability_id VCID-az9d-6cx4-h3bk
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Winter is a free, open-source content management system. Prior to 1.2.4, users with the `media.manage_media` permission can upload files to the Media Manager and rename them after uploading. Previously, media manager files were only sanitized on upload, not on renaming, which could have allowed a stored XSS attack. This issue has been patched in v1.2.4.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-52083
reference_id
reference_type
scores
0
value 0.0036
scoring_system epss
scoring_elements 0.58511
published_at 2026-06-09T12:55:00Z
1
value 0.0036
scoring_system epss
scoring_elements 0.58496
published_at 2026-06-08T12:55:00Z
2
value 0.0036
scoring_system epss
scoring_elements 0.5851
published_at 2026-06-07T12:55:00Z
3
value 0.0036
scoring_system epss
scoring_elements 0.58518
published_at 2026-06-06T12:55:00Z
4
value 0.0036
scoring_system epss
scoring_elements 0.58509
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-52083
1
reference_url https://github.com/wintercms/winter
reference_id
reference_type
scores
0
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/wintercms/winter
2
reference_url https://github.com/wintercms/winter/commit/2969daeea8dee64d292dbaa3778ea251e2a7e491
reference_id
reference_type
scores
0
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/wintercms/winter/commit/2969daeea8dee64d292dbaa3778ea251e2a7e491
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-52083
reference_id CVE-2023-52083
reference_type
scores
0
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-52083
4
reference_url https://github.com/advisories/GHSA-4wvw-75qh-fqjp
reference_id GHSA-4wvw-75qh-fqjp
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4wvw-75qh-fqjp
5
reference_url https://github.com/wintercms/winter/security/advisories/GHSA-4wvw-75qh-fqjp
reference_id GHSA-4wvw-75qh-fqjp
reference_type
scores
0
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/wintercms/winter/security/advisories/GHSA-4wvw-75qh-fqjp
fixed_packages
0
url pkg:composer/wintercms/winter@1.2.4
purl pkg:composer/wintercms/winter@1.2.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/wintercms/winter@1.2.4
aliases CVE-2023-52083, GHSA-4wvw-75qh-fqjp
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-az9d-6cx4-h3bk
2
url VCID-rw7w-16uk-eqfv
vulnerability_id VCID-rw7w-16uk-eqfv
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issue has been patched in v1.2.4.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-52084
reference_id
reference_type
scores
0
value 0.00316
scoring_system epss
scoring_elements 0.55038
published_at 2026-06-08T12:55:00Z
1
value 0.00316
scoring_system epss
scoring_elements 0.55064
published_at 2026-06-06T12:55:00Z
2
value 0.00316
scoring_system epss
scoring_elements 0.55056
published_at 2026-06-05T12:55:00Z
3
value 0.00316
scoring_system epss
scoring_elements 0.55058
published_at 2026-06-09T12:55:00Z
4
value 0.00316
scoring_system epss
scoring_elements 0.55055
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-52084
1
reference_url https://github.com/wintercms/winter
reference_id
reference_type
scores
0
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/wintercms/winter
2
reference_url https://github.com/wintercms/winter/commit/517f65dfae679b57575b047de13c5af48915a5ba
reference_id
reference_type
scores
0
value 2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
1
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-03T15:50:20Z/
url https://github.com/wintercms/winter/commit/517f65dfae679b57575b047de13c5af48915a5ba
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-52084
reference_id CVE-2023-52084
reference_type
scores
0
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-52084
4
reference_url https://github.com/advisories/GHSA-43w4-4j3c-jx29
reference_id GHSA-43w4-4j3c-jx29
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-43w4-4j3c-jx29
5
reference_url https://github.com/wintercms/winter/security/advisories/GHSA-43w4-4j3c-jx29
reference_id GHSA-43w4-4j3c-jx29
reference_type
scores
0
value 2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
1
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
2
value LOW
scoring_system cvssv3.1_qr
scoring_elements
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-01-03T15:50:20Z/
url https://github.com/wintercms/winter/security/advisories/GHSA-43w4-4j3c-jx29
fixed_packages
0
url pkg:composer/wintercms/winter@1.2.4
purl pkg:composer/wintercms/winter@1.2.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/wintercms/winter@1.2.4
aliases CVE-2023-52084, GHSA-43w4-4j3c-jx29
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rw7w-16uk-eqfv
3
url VCID-u5yg-4pha-jfhm
vulnerability_id VCID-u5yg-4pha-jfhm
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Users with the `backend.manage_branding` permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a stored cross-site scripting (XSS) attack. To exploit the vulnerability, an attacker would already need to have developer or super user level permissions in Winter CMS. This means they would already have extensive access and control within the system. Additionally, to execute the XSS, the attacker would need to convince the victim to directly visit the URL of the maliciously uploaded SVG, and the application would have to be using local storage where uploaded files are served under the same domain as the application itself instead of a CDN. This is because all SVGs in Winter CMS are rendered through an `img` tag, which prevents any payloads from being executed directly. These two factors significantly limit the potential harm of this vulnerability. This issue has been patched in v1.2.3 through the inclusion of full support for SVG uploads and automatic sanitization of uploaded SVG files. As a workaround, one may apply the patches manually.
references
0
reference_url http://packetstormsecurity.com/files/173520/WinterCMS-1.2.2-Cross-Site-Scripting.html
reference_id
reference_type
scores
0
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url http://packetstormsecurity.com/files/173520/WinterCMS-1.2.2-Cross-Site-Scripting.html
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-37269
reference_id
reference_type
scores
0
value 0.01317
scoring_system epss
scoring_elements 0.80221
published_at 2026-06-06T12:55:00Z
1
value 0.01317
scoring_system epss
scoring_elements 0.8021
published_at 2026-06-08T12:55:00Z
2
value 0.01317
scoring_system epss
scoring_elements 0.80217
published_at 2026-06-07T12:55:00Z
3
value 0.01317
scoring_system epss
scoring_elements 0.8023
published_at 2026-06-09T12:55:00Z
4
value 0.01317
scoring_system epss
scoring_elements 0.80218
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-37269
2
reference_url https://github.com/wintercms/storm/commit/186d85d8fea2cae43afc807d39f68553c24e56be
reference_id
reference_type
scores
0
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/wintercms/storm/commit/186d85d8fea2cae43afc807d39f68553c24e56be
3
reference_url https://github.com/wintercms/winter
reference_id
reference_type
scores
0
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/wintercms/winter
4
reference_url https://github.com/wintercms/winter/commit/fa50b4c7489b67ea80072f8ac9fe5294fce1df1c
reference_id
reference_type
scores
0
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/wintercms/winter/commit/fa50b4c7489b67ea80072f8ac9fe5294fce1df1c
5
reference_url https://github.com/wintercms/winter/releases/tag/v1.2.3
reference_id
reference_type
scores
0
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/wintercms/winter/releases/tag/v1.2.3
6
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/51591.txt
reference_id CVE-2023-37269
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/php/webapps/51591.txt
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-37269
reference_id CVE-2023-37269
reference_type
scores
0
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-37269
8
reference_url https://github.com/advisories/GHSA-wjw2-4j7j-6gc3
reference_id GHSA-wjw2-4j7j-6gc3
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wjw2-4j7j-6gc3
9
reference_url https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3
reference_id GHSA-wjw2-4j7j-6gc3
reference_type
scores
0
value 2.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3
fixed_packages
0
url pkg:composer/wintercms/winter@1.2.3
purl pkg:composer/wintercms/winter@1.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5xr1-7ygw-3bbc
1
vulnerability VCID-az9d-6cx4-h3bk
2
vulnerability VCID-rw7w-16uk-eqfv
3
vulnerability VCID-vym1-uam4-v3ff
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/wintercms/winter@1.2.3
aliases CVE-2023-37269, GHSA-wjw2-4j7j-6gc3
risk_score 5.4
exploitability 2.0
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u5yg-4pha-jfhm
4
url VCID-vym1-uam4-v3ff
vulnerability_id VCID-vym1-uam4-v3ff
summary 
Winter CMS Server-Side Template Injection (SSTI) vulnerability
Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-29686
reference_id
reference_type
scores
0
value 0.04466
scoring_system epss
scoring_elements 0.89313
published_at 2026-06-09T12:55:00Z
1
value 0.04466
scoring_system epss
scoring_elements 0.89295
published_at 2026-06-07T12:55:00Z
2
value 0.04466
scoring_system epss
scoring_elements 0.89296
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-29686
1
reference_url https://forum.ksec.co.uk/t/webapps-winter-cms-1-2-3-server-side-template-injection-ssti-authenticated/2779
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-23T13:55:31Z/
url https://forum.ksec.co.uk/t/webapps-winter-cms-1-2-3-server-side-template-injection-ssti-authenticated/2779
2
reference_url https://github.com/wintercms/winter
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/wintercms/winter
3
reference_url https://wintercms.com/docs/v1.2/docs/cms/themes#template-structure
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-23T13:55:31Z/
url https://wintercms.com/docs/v1.2/docs/cms/themes#template-structure
4
reference_url https://www.exploit-db.com/exploits/51893
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
1
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-08-23T13:55:31Z/
url https://www.exploit-db.com/exploits/51893
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-29686
reference_id CVE-2024-29686
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-29686
6
reference_url https://github.com/advisories/GHSA-8r5j-gm3j-cx9c
reference_id GHSA-8r5j-gm3j-cx9c
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8r5j-gm3j-cx9c
fixed_packages
0
url pkg:composer/wintercms/winter@1.2.4
purl pkg:composer/wintercms/winter@1.2.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/wintercms/winter@1.2.4
aliases CVE-2024-29686, GHSA-8r5j-gm3j-cx9c
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vym1-uam4-v3ff
Fixing_vulnerabilities
0
url VCID-wysf-arkv-w3h7
vulnerability_id VCID-wysf-arkv-w3h7
summary 
Prototype pollution in Snowboard framework
### Impact

The Snowboard framework in affected versions is vulnerable to prototype pollution in the main Snowboard class as well as its plugin loader. 

### Patches

This issue has been patched in https://github.com/wintercms/winter/commit/2a13faf99972e84c9661258f16c4750fa99d29a1 (for 1.2) and https://github.com/wintercms/winter/commit/bce4b59584abf961e9400af3d7a4fd7638e26c7f (for 1.1) and is available with Winter v1.1.10 and v1.2.1.

### Workarounds

If you have not yet upgraded, or are using the 1.1 branch of Winter (1.1.8 or above), you can avoid this issue by following some common security practices for JavaScript, including implementing a [content security policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) and auditing your scripts.

The 1.0 branch of Winter is not affected, as it does not contain the Snowboard framework.

### For more information

If you have any questions or comments about this advisory:

- Email us at [hello@wintercms.com](mailto:hello@wintercms.com)
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-39357
reference_id
reference_type
scores
0
value 0.01086
scoring_system epss
scoring_elements 0.78241
published_at 2026-06-04T12:55:00Z
1
value 0.01086
scoring_system epss
scoring_elements 0.7827
published_at 2026-06-09T12:55:00Z
2
value 0.01086
scoring_system epss
scoring_elements 0.78252
published_at 2026-06-08T12:55:00Z
3
value 0.01086
scoring_system epss
scoring_elements 0.78264
published_at 2026-06-07T12:55:00Z
4
value 0.01086
scoring_system epss
scoring_elements 0.78274
published_at 2026-06-06T12:55:00Z
5
value 0.01086
scoring_system epss
scoring_elements 0.78267
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-39357
1
reference_url https://github.com/wintercms/winter
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/wintercms/winter
2
reference_url https://github.com/wintercms/winter/commit/2a13faf99972e84c9661258f16c4750fa99d29a1
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/wintercms/winter/commit/2a13faf99972e84c9661258f16c4750fa99d29a1
3
reference_url https://github.com/wintercms/winter/commit/bce4b59584abf961e9400af3d7a4fd7638e26c7f
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/wintercms/winter/commit/bce4b59584abf961e9400af3d7a4fd7638e26c7f
4
reference_url https://github.com/wintercms/winter/releases/tag/v1.1.10
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/wintercms/winter/releases/tag/v1.1.10
5
reference_url https://github.com/wintercms/winter/releases/tag/v1.2.1
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/wintercms/winter/releases/tag/v1.2.1
6
reference_url https://github.com/wintercms/winter/security/advisories/GHSA-3fh5-q6fg-w28q
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/wintercms/winter/security/advisories/GHSA-3fh5-q6fg-w28q
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-39357
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-39357
8
reference_url https://github.com/advisories/GHSA-3fh5-q6fg-w28q
reference_id GHSA-3fh5-q6fg-w28q
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3fh5-q6fg-w28q
fixed_packages
0
url pkg:composer/wintercms/winter@1.1.10
purl pkg:composer/wintercms/winter@1.1.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5xr1-7ygw-3bbc
1
vulnerability VCID-az9d-6cx4-h3bk
2
vulnerability VCID-rw7w-16uk-eqfv
3
vulnerability VCID-u5yg-4pha-jfhm
4
vulnerability VCID-vym1-uam4-v3ff
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/wintercms/winter@1.1.10
1
url pkg:composer/wintercms/winter@1.2.1
purl pkg:composer/wintercms/winter@1.2.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5xr1-7ygw-3bbc
1
vulnerability VCID-az9d-6cx4-h3bk
2
vulnerability VCID-rw7w-16uk-eqfv
3
vulnerability VCID-u5yg-4pha-jfhm
4
vulnerability VCID-vym1-uam4-v3ff
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/wintercms/winter@1.2.1
aliases CVE-2022-39357, GHSA-3fh5-q6fg-w28q
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wysf-arkv-w3h7
Risk_score5.4
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/wintercms/winter@1.1.10