Description
Impact
The backend Filter widget (Backend\\Widgets\\Filter) is vulnerable to SQL injection through
the numberrange scope type when the scope is configured with a conditions key.
An authenticated backend user with access to a list view containing a vulnerable filter scope can inject
arbitrary SQL via the filter's AJAX handler, potentially gaining read access to full database contents.
Exploitation requires a valid backend account and access to a list view where a third-party plugin has
registered a numberrange scope using the conditions configuration key. No built-in
Winter CMS backend views use this configuration combination by default.
Patches
This issue is fixed in Winter CMS v1.2.13.
Workarounds
If you cannot upgrade immediately, apply commit 50713de to your Winter CMS installation.