VYPR

Packagist (Composer) package

wintercms/winter

pkg:composer/wintercms/winter

Vulnerabilities (3)

  • CVE-2024-29686Mar 29, 2024
    affected <= 1.2.3

    Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. NOTE: the vendor disputes this because the payload could only be entered by a trusted u

  • CVE-2023-37269Jul 7, 2023
    affected < 1.2.3fixed 1.2.3

    Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Users with the `backend.manage_branding` permission can upload SVGs as the application logo. Prior to version 1.2.3, SVG uploads were not sanitized, which could have allowed a stored

  • CVE-2022-39357Oct 26, 2022
    affected >= 1.1.8, < 1.1.10fixed 1.1.10

    Winter is a free, open-source content management system based on the Laravel PHP framework. The Snowboard framework in versions 1.1.8, 1.1.9, and 1.2.0 is vulnerable to prototype pollution in the main Snowboard class as well as its plugin loader. The 1.0 branch of Winter is not a