Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Winter Affected by Stored Cross-Site Scripting (XSS) in Asset Manager
Vulnerability Description
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
Winter 安全漏洞
Vulnerability Description
Winter是Winter开源的一款基于 Laravel PHP 框架的免费开源内容管理系统。 Winter 1.2.10之前版本存在安全漏洞,该漏洞源于允许具有CMS资源管理器访问权限的用户上传未经自动清理的SVG文件,可能导致安全风险。
CVSS Information
N/A
Vulnerability Type
N/A