Advisories for Composer/Wintercms/Winter package

2024
2023

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Users with the backend.manage_branding permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a stored cross-site scripting (XSS) attack. To exploit the vulnerability, an attacker would already need to have developer or super user level permissions in Winter CMS. This means they would …

2022

Prototype pollution in Snowboard framework

Winter is a free, open-source content management system based on the Laravel PHP framework. The Snowboard framework in versions 1.1.8, 1.1.9, and 1.2.0 is vulnerable to prototype pollution in the main Snowboard class as well as its plugin loader. The 1.0 branch of Winter is not affected, as it does not contain the Snowboard framework. This issue has been patched in v1.1.10 and v1.2.1. As a workaround, one may avoid …

Bypass of CMS Safe Mode Security Feature

Authenticated users with permissions to create or modify theme template objects through the backend CMS editor can exploit this vulnerability to bypass the cms.enableSafeMode security feature if enabled (disables modification of PHP code through the web interface when enabled). This is only an issue for Winter CMS instances that rely on the Safe Mode security feature to prevent privileged users from modifying the PHP code of CMS theme template objects …