1. Vulnerability Overview:

• Vulnerability Name: Reflected XSS
• Affected Software: WinterCMS
• Vulnerability Location: WinterCMS (/backend/cms/)
• Severity: Low

2. Description:

A vulnerability pertaining to Reflected Cross-site Scripting (XSS) has been identified in version 1.2.6 of winterCMS at /vendor/winter/storm/src/Halcyon/Builder.php . This flaw enables attackers to a malicious script containing JavaScript code. Subsequently, this code may be triggered in the server response.

3. Steps to reproduce:

1. After logging in with admin credentials and visiting the admin panel of Winter CMS, we navigated to the CMS page and clicked on one of the pages: