High severity8.1NVD Advisory· Published Oct 26, 2022· Updated Jun 17, 2026
CVE-2022-39357
CVE-2022-39357
Description
Winter is a free, open-source content management system based on the Laravel PHP framework. The Snowboard framework in versions 1.1.8, 1.1.9, and 1.2.0 is vulnerable to prototype pollution in the main Snowboard class as well as its plugin loader. The 1.0 branch of Winter is not affected, as it does not contain the Snowboard framework. This issue has been patched in v1.1.10 and v1.2.1. As a workaround, one may avoid this issue by following some common security practices for JavaScript, including implementing a content security policy and auditing scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
wintercms/winterPackagist | >= 1.1.8, < 1.1.10 | 1.1.10 |
wintercms/winterPackagist | >= 1.2.0, < 1.2.1 | 1.2.1 |
Affected products
2Patches
Vulnerability mechanics
References
7- github.com/wintercms/winter/commit/2a13faf99972e84c9661258f16c4750fa99d29a1nvdPatchThird Party AdvisoryWEB
- github.com/wintercms/winter/commit/bce4b59584abf961e9400af3d7a4fd7638e26c7fnvdPatchThird Party AdvisoryWEB
- github.com/wintercms/winter/security/advisories/GHSA-3fh5-q6fg-w28qnvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-3fh5-q6fg-w28qghsaADVISORY
- github.com/wintercms/winter/releases/tag/v1.1.10nvdRelease NotesThird Party AdvisoryWEB
- github.com/wintercms/winter/releases/tag/v1.2.1nvdRelease NotesThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-39357ghsaADVISORY
News mentions
0No linked articles in our index yet.