CVE-2023-52084: 
PHP vulnerability analysis and mitigation

Winter CMS, a free and open-source content management system, was found to contain a stored XSS vulnerability (CVE-2023-52084) discovered on December 28, 2023. The vulnerability affects versions prior to 1.2.4 and allows users with backend access to forms containing a ColorPicker FormWidget to provide values that would be rendered unescaped in the backend form, potentially enabling a stored XSS attack (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The issue specifically affects the ColorPicker FormWidget component in the backend forms, where user input was not properly escaped before being rendered. By default, this vulnerability impacts the Brand Settings and Mail Brand Settings forms, and commonly affects Theme Customization forms in themes (GitHub Advisory).

The impact of this vulnerability is considered relatively low due to its prerequisites. An attacker would need to already have trusted access to the Winter CMS backend and would need to convince a user with higher privileges to visit an affected Form in the backend. If successfully exploited, it could lead to stored XSS attacks, potentially compromising user sessions or executing unauthorized actions (GitHub Advisory).

The vulnerability has been patched in Winter CMS version 1.2.4. For users unable to upgrade to v1.2.4, a manual application of commit 517f65d can be applied as a workaround (GitHub Advisory, Winter Patch).