Dismissed
Permalink
CVE-2026-22254
0.0 NONE
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): HIGH
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): NONE
- Availability impact (A): NONE
by @LeSuisse Activity log
- Created automatic suggestion
- @LeSuisse removed package vscode-extensions.johnpapa.winteriscoming
- @LeSuisse dismissed
Winter Affected by Stored Cross-Site Scripting (XSS) in Asset Manager
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10.
References
- https://github.com/wintercms/winter/commit/8a7f74b004fcd19721764fc63af0cdb339d9fb65 x_refsource_MISC
- https://github.com/wintercms/winter/releases/tag/v1.2.10 x_refsource_MISC
- https://github.com/wintercms/winter/security/advisories/GHSA-m7gw-rffq-rxjm x_refsource_CONFIRM
- https://github.com/wintercms/winter/security/advisories/GHSA-m7gw-rffq-rxjm x_refsource_CONFIRM
- https://github.com/wintercms/winter/commit/8a7f74b004fcd19721764fc63af0cdb339d9fb65 x_refsource_MISC
- https://github.com/wintercms/winter/releases/tag/v1.2.10 x_refsource_MISC
Affected products
winter
- ==< 1.2.10