CVE-2024-29686 - Vulnerability Details - OpenCVE

Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. NOTE: the vendor disputes this because the payload could only be entered by a trusted user, such as the owner of the server that hosts Winter CMS, or a developer working for them.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://forum.ksec.co.uk/t/webapps-winter-cms-1-2-3-server-side-template-injection-ssti-authenticated/2779
https://wintercms.com/docs/v1.2/docs/cms/themes#template-structure
https://www.exploit-db.com/exploits/51893

History

Fri, 23 Aug 2024 14:30:00 +0000

Type	Values Removed	Values Added
CPEs	cpe:2.3:a:wintercms:winter:1.2.3:::::::*
Vendors & Products	Wintercms Wintercms winter
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-03-29T00:00:00

Updated: 2024-08-23T13:55:48.525Z

Reserved: 2024-03-19T00:00:00

Link: CVE-2024-29686

Vulnrichment

Updated: 2024-08-02T01:10:55.494Z

NVD

Status : Awaiting Analysis

Published: 2024-03-29T16:15:08.047

Modified: 2024-11-21T09:08:09.957

Link: CVE-2024-29686

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-29686", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-23T13:55:48.525Z", "dateReserved": "2024-03-19T00:00:00", "datePublished": "2024-03-29T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-04-01T00:52:53.676560"}, "descriptions": [{"lang": "en", "value": "Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. NOTE: the vendor disputes this because the payload could only be entered by a trusted user, such as the owner of the server that hosts Winter CMS, or a developer working for them."}], "tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/51893"}, {"url": "https://forum.ksec.co.uk/t/webapps-winter-cms-1-2-3-server-side-template-injection-ssti-authenticated/2779"}, {"url": "https://wintercms.com/docs/v1.2/docs/cms/themes#template-structure"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-97", "lang": "en", "description": "CWE-97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page"}]}], "affected": [{"vendor": "wintercms", "product": "winter", "cpes": ["cpe:2.3:a:wintercms:winter:1.2.3:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.2.3", "status": "affected"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-08-23T13:55:31.249487Z", "id": "CVE-2024-29686", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-23T13:55:48.525Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:55.494Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.exploit-db.com/exploits/51893", "tags": ["x_transferred"]}, {"url": "https://forum.ksec.co.uk/t/webapps-winter-cms-1-2-3-server-side-template-injection-ssti-authenticated/2779", "tags": ["x_transferred"]}, {"url": "https://wintercms.com/docs/v1.2/docs/cms/themes#template-structure", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.exploit-db.com/exploits/51893", "tags": ["x_transferred"]}, {"url": "https://forum.ksec.co.uk/t/webapps-winter-cms-1-2-3-server-side-template-injection-ssti-authenticated/2779", "tags": ["x_transferred"]}, {"url": "https://wintercms.com/docs/v1.2/docs/cms/themes#template-structure", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:55.494Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-29686", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-23T13:55:31.249487Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:wintercms:winter:1.2.3:*:*:*:*:*:*:*"], "vendor": "wintercms", "product": "winter", "versions": [{"status": "affected", "version": "1.2.3"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-97", "description": "CWE-97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-01T14:33:31.668Z"}}], "cna": {"tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/51893"}, {"url": "https://forum.ksec.co.uk/t/webapps-winter-cms-1-2-3-server-side-template-injection-ssti-authenticated/2779"}, {"url": "https://wintercms.com/docs/v1.2/docs/cms/themes#template-structure"}], "descriptions": [{"lang": "en", "value": "Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. NOTE: the vendor disputes this because the payload could only be entered by a trusted user, such as the owner of the server that hosts Winter CMS, or a developer working for them."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-04-01T00:52:53.676560"}}}, "cveMetadata": {"cveId": "CVE-2024-29686", "state": "PUBLISHED", "dateUpdated": "2024-08-23T13:55:48.525Z", "dateReserved": "2024-03-19T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-03-29T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. NOTE: the vendor disputes this because the payload could only be entered by a trusted user, such as the owner of the server that hosts Winter CMS, or a developer working for them."}, {"lang": "es", "value": "Vulnerabilidad de Server-side Template Injection (SSTI) en Winter CMS v.1.2.3 permite a un atacante remoto ejecutar c\u00f3digo arbitrario a trav\u00e9s de un payload manipulado en el campo P\u00e1ginas del CMS y los componentes del complemento. NOTA: el proveedor cuestiona esto porque el payload solo puede ser ingresada por un usuario confiable, como el propietario del servidor que aloja Winter CMS, o un desarrollador que trabaja para ellos."}], "id": "CVE-2024-29686", "lastModified": "2024-11-21T09:08:09.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-03-29T16:15:08.047", "references": [{"source": "cve@mitre.org", "url": "https://forum.ksec.co.uk/t/webapps-winter-cms-1-2-3-server-side-template-injection-ssti-authenticated/2779"}, {"source": "cve@mitre.org", "url": "https://wintercms.com/docs/v1.2/docs/cms/themes#template-structure"}, {"source": "cve@mitre.org", "url": "https://www.exploit-db.com/exploits/51893"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://forum.ksec.co.uk/t/webapps-winter-cms-1-2-3-server-side-template-injection-ssti-authenticated/2779"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://wintercms.com/docs/v1.2/docs/cms/themes#template-structure"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.exploit-db.com/exploits/51893"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-97"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}