Packagist (Composer) package
winter/wn-backend-module
pkg:composer/winter/wn-backend-module
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-27591 | — | >= 1.2.0, < 1.2.12 | 1.2.12 | Mar 11, 2026 | Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions ass | ||
| CVE-2023-52085 | Low | 3.3 | < 1.2.4 | 1.2.4 | Dec 29, 2023 | Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential t | |
| CVE-2023-52084 | Low | 2.0 | < 1.2.4 | 1.2.4 | Dec 28, 2023 | Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issu |
- CVE-2026-27591Mar 11, 2026affected >= 1.2.0, < 1.2.12fixed 1.2.12
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their accounts level of access to the system by modifying the roles / permissions ass
- affected < 1.2.4fixed 1.2.4
Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential t
- affected < 1.2.4fixed 1.2.4
Winter is a free, open-source content management system. Prior to 1.2.4, Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be rendered unescaped in the backend form, potentially allowing for a stored XSS attack. This issu