N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-q37h-jhf3-85cj

EPSS Score

CWE

Published

7/15/2022

Updated

1/12/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-q37h-jhf3-85cj

GHSA-q37h-jhf3-85cj: Bypass of CMS Safe Mode Security Feature

Impact

Authenticated users with permissions to create or modify theme template objects through the backend "CMS" editor can exploit this vulnerability to bypass the cms.enableSafeMode security feature if enabled (disables modification of PHP code through the web interface when enabled).

This is only an issue for Winter CMS instances that rely on the Safe Mode security feature to prevent privileged users from modifying the PHP code of CMS theme template objects through the web interface.

CVSS v3.1 Vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Patches

Issue has been fixed in v1.0.475, v1.1.9, & v1.2.

Workarounds

Apply https://github.com/wintercms/storm/commit/03eb5ce3f2a271670574802b914f7bcaf07663c1 manually if unable to upgrade to v1.0.475, v1.1.9, or v1.2.0.

References

See https://github.com/octobercms/october/security/advisories/GHSA-79jw-2f46-wv22/.

Credit to David Miller for reporting the issue.

For more information

If you have any questions or comments about this advisory:

Email us at hello@wintercms.com

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-q37h-jhf3-85cj

EPSS Score

CWE

Published

7/15/2022

Updated

1/12/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
wintercms/winter	composer	< 1.0.475	1.0.475
wintercms/winter	composer	>= 1.1.0, < 1.1.9	1.1.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows bypassing Safe Mode checks during template modification. Core template manipulation methods like setAttribute in Template.php would be responsible for enforcing content restrictions. The backend controller's save handler (onSave) is a logical entry point for template edits. The high confidence in Template::setAttribute stems from its direct role in modifying template content, while the controller method receives medium confidence due to typical MVC patterns, though exact implementation details are inferred without commit diffs. The patch commit wintercms/storm@03eb5ce likely added Safe Mode checks to these critical points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ut**nti**t** us*rs wit* p*rmissions to *r**t* or mo*i*y t**m* t*mpl*t* o*j**ts t*rou** t** ***k*n* "*MS" **itor **n *xploit t*is vuln*r**ility to *yp*ss t** `*ms.*n**l*S***Mo**` s**urity ***tur* i* *n**l** (*is**l*s mo*i*i**tion o* P*P *

Reasoning

T** vuln*r**ility *llows *yp*ssin* S*** Mo** ****ks *urin* t*mpl*t* mo*i*i**tion. *or* t*mpl*t* m*nipul*tion m*t*o*s lik* `s*t*ttri*ut*` in `T*mpl*t*.p*p` woul* ** r*sponsi*l* *or *n*or*in* *ont*nt r*stri*tions. T** ***k*n* *ontroll*r's s*v* **n*l*r

N/A

Basic Information

Concerned about an active attack path?

GHSA-q37h-jhf3-85cj: Bypass of CMS Safe Mode Security Feature

Impact

Patches

Workarounds

References

For more information

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI