CVE-2023-52083: 
PHP vulnerability analysis and mitigation

Winter CMS, a free and open-source content management system, was found to contain a stored XSS vulnerability (CVE-2023-52083) prior to version 1.2.4. The vulnerability was discovered when users with media.manage_media permission could upload files to the Media Manager and rename them after uploading, with file sanitization only occurring during upload but not during renaming (GitHub Advisory).

The vulnerability stems from insufficient sanitization of SVG files during the renaming process in the Media Manager component. While files were properly sanitized during the initial upload, the sanitization check was bypassed during file renaming operations. The vulnerability has been assigned a CVSS v3.1 base score of 2.0 LOW with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N, indicating a network-accessible vulnerability requiring high privileges and user interaction (NVD).

The impact of this vulnerability is considered low due to several mitigating factors. To exploit the vulnerability, an attacker would need to already have trusted permissions in the Winter CMS backend. Additionally, successful exploitation requires the victim to directly visit the URL of the maliciously uploaded SVG, and the application must be using local storage where uploaded files are served under the same domain as the application itself instead of a CDN (GitHub Advisory).

The vulnerability has been patched in Winter CMS version 1.2.4. For users unable to upgrade to v1.2.4, a workaround is available by manually applying the patch commit 2969dae, which improves the detection of renames to SVG files (GitHub Patch).