Low severityNVD Advisory· Published Dec 28, 2023· Updated Apr 17, 2025
Winter CMS Stored XSS through Backend ColorPicker FormWidget
CVE-2023-52084
Description
Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issue has been patched in v1.2.4.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
winter/wn-backend-modulePackagist | < 1.2.4 | 1.2.4 |
Affected products
1Patches
1517f65dfae67Escape output of colorpicker values
1 file changed · +2 −2
modules/backend/formwidgets/colorpicker/partials/_colorpicker.php+2 −2 modified@@ -31,14 +31,14 @@ class=" data-color-value class="form-control" > - <?= $value ?> + <?= e($value); ?> </span> <?php else: ?> <input data-color-value class="form-control" placeholder="No color" - value="<?= $value ?>" + value="<?= e($value); ?>" <?php if ($disabled): ?> disabled <?php endif ?>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-43w4-4j3c-jx29ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-52084ghsaADVISORY
- github.com/wintercms/winter/commit/517f65dfae679b57575b047de13c5af48915a5baghsax_refsource_MISCWEB
- github.com/wintercms/winter/security/advisories/GHSA-43w4-4j3c-jx29ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.