Winter CMS Local File Inclusion - (LFI) (CVE-2023-52085)

Winter is a free, open-source content management system. Users with access to backend forms that include a ColorPicker FormWidget can provide a value that would then be included without further processing in the compilation of custom stylesheets via LESS. This had the potential to lead to a Local File Inclusion vulnerability. This issue has been patched in v1.2.4.

冬季是一款免费且开源的内容管理系统。具有访问后端表单的用户，其中包含色彩选择表单组件（ColorPicker FormWidget），能够提供一个值，该值随后将未经进一步处理直接纳入通过LESS编译的自定义样式的生成。此行为存在导致本地文件包含漏洞的潜在风险。该漏洞已在版本1.2.4中得到了修复。