CVE-2023-52085
Published: 29 December 2023
Summary
CVE-2023-52085 is a low-severity Path Traversal (CWE-22) vulnerability in Wintercms Winter. Its CVSS base score is 3.3 (Low).
Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Winter CMS, a free open-source content management system, contains a path traversal vulnerability tracked as CVE-2023-52085 and assigned CWE-22. The flaw resides in the ColorPicker FormWidget: values supplied through backend forms are passed unprocessed into LESS stylesheet compilation, enabling local file inclusion when the resulting stylesheets are generated.
An authenticated user holding backend access sufficient to reach affected forms can supply a crafted color value that traverses the filesystem during LESS processing. Successful exploitation yields limited read and write access to arbitrary local files, though the CVSS 3.3 score reflects the high attack complexity and requirement for high privileges.
The Winter CMS project has published a security advisory (GHSA-2x7r-93ww-cxrq) and applied a fix in version 1.2.4; the corresponding patch appears in commit 5bc9257fe2bc47d8b786a1b1bf96bafad23d8ddd on the project repository. Administrators should upgrade promptly and restrict backend form access to trusted roles until patches are applied. The associated EPSS score has remained in the 0.40 range with a modest peak of 0.46 and does not indicate a pronounced post-disclosure increase in exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0225
Vulnerability details
Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This…
more
had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.