Search criteria
18 vulnerabilities by xibosignage
CVE-2025-62369 (GCVE-0-2025-62369)
Vulnerability from cvelistv5 – Published: 2025-11-04 21:18 – Updated: 2025-11-05 14:29
VLAI?
Title
Xibo CMS: Remote Code Execution through module templates
Summary
Xibo is an open source digital signage platform with a web content management system (CMS). Versions 4.3.0 and below contain a Remote Code Execution vulnerability in the CMS Developer menu's Module Templating functionality, allowing authenticated users with "System -> Add/Edit custom modules and templates" permissions to manipulate Twig filters and execute arbitrary server-side functions as the web server user. This issue is fixed in version 4.3.1. To workaround this issue, use the 4.1 and 4.2 patch commits.
Severity ?
7.2 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
< 4.3.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62369",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T14:29:27.039876Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T14:29:33.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is an open source digital signage platform with a web content management system (CMS). Versions 4.3.0 and below contain a Remote Code Execution vulnerability in the CMS Developer menu\u0027s Module Templating functionality, allowing authenticated users with \"System -\u003e Add/Edit custom modules and templates\" permissions to manipulate Twig filters and execute arbitrary server-side functions as the web server user. This issue is fixed in version 4.3.1. To workaround this issue, use the 4.1 and 4.2 patch commits."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T21:18:38.880Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7rmm-689c-gjgv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7rmm-689c-gjgv"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/0f4e88396111ea027785a48dd8f5eeb14536bd71",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/0f4e88396111ea027785a48dd8f5eeb14536bd71"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/ecd4f9d2cea739a46756a108a839cac80f65cf10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/ecd4f9d2cea739a46756a108a839cac80f65cf10"
},
{
"name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.3.1"
},
{
"name": "https://patch-diff.githubusercontent.com/raw/xibosignage/xibo-cms/pull/3128.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://patch-diff.githubusercontent.com/raw/xibosignage/xibo-cms/pull/3128.patch"
}
],
"source": {
"advisory": "GHSA-7rmm-689c-gjgv",
"discovery": "UNKNOWN"
},
"title": "Xibo CMS: Remote Code Execution through module templates"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62369",
"datePublished": "2025-11-04T21:18:38.880Z",
"dateReserved": "2025-10-10T14:22:48.204Z",
"dateUpdated": "2025-11-05T14:29:33.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-43413 (GCVE-0-2024-43413)
Vulnerability from cvelistv5 – Published: 2024-09-03 18:52 – Updated: 2024-09-03 19:28
VLAI?
Title
Xibo CMS XSS vulnerability using DataSet HTML columns
Summary
Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute JavaScript via the DataSet functionality. Users can design a DataSet with a HTML column which contains JavaScript, which is intended functionality. The JavaScript gets executed on the Data Entry page and in any Layouts which reference it. This behavior has been changed in 4.1.0 to show HTML/CSS/JS as code on the Data Entry page. There are no workarounds for this issue.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
< 4.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43413",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T19:28:33.555383Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T19:28:40.467Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003c 4.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute JavaScript via the DataSet functionality. Users can design a DataSet with a HTML column which contains JavaScript, which is intended functionality. The JavaScript gets executed on the Data Entry page and in any Layouts which reference it. This behavior has been changed in 4.1.0 to show HTML/CSS/JS as code on the Data Entry page. There are no workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T18:52:27.153Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-pfxp-vxh7-2h9f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-pfxp-vxh7-2h9f"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/009527855d8bfd0ffb95f5c88ed72b7b5bdebfa1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/009527855d8bfd0ffb95f5c88ed72b7b5bdebfa1"
}
],
"source": {
"advisory": "GHSA-pfxp-vxh7-2h9f",
"discovery": "UNKNOWN"
},
"title": "Xibo CMS XSS vulnerability using DataSet HTML columns"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-43413",
"datePublished": "2024-09-03T18:52:27.153Z",
"dateReserved": "2024-08-12T18:02:04.967Z",
"dateUpdated": "2024-09-03T19:28:40.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43412 (GCVE-0-2024-43412)
Vulnerability from cvelistv5 – Published: 2024-09-03 16:52 – Updated: 2024-09-03 17:43
VLAI?
Title
Xibo CMS XSS vulnerability when previewing files uploaded to the library containing HTML/JS
Summary
Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute arbitrary JavaScript via the file preview function. Users can upload HTML/CSS/JS files into the Xibo Library via the Generic File module to be referenced on Displays and in Layouts. This is intended functionality. When previewing these resources from the Library and Layout editor they are executed in the users browser. This will be disabled in future releases, and users are encouraged to use the new developer tools in 4.1 to design their widgets which require this type of functionality. This behavior has been changed in 4.1.0 to preview previewing of generic files. There are no workarounds for this issue.
Severity ?
4.6 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
< 4.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43412",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T17:40:46.046472Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T17:43:03.820Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003c 4.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute arbitrary JavaScript via the file preview function. Users can upload HTML/CSS/JS files into the Xibo Library via the Generic File module to be referenced on Displays and in Layouts. This is intended functionality. When previewing these resources from the Library and Layout editor they are executed in the users browser. This will be disabled in future releases, and users are encouraged to use the new developer tools in 4.1 to design their widgets which require this type of functionality. This behavior has been changed in 4.1.0 to preview previewing of generic files. There are no workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T16:52:23.643Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-336f-wrgx-57gg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-336f-wrgx-57gg"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/d8f13339469d9f19ce591fb2bd7c9e0e0d2da118",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/d8f13339469d9f19ce591fb2bd7c9e0e0d2da118"
}
],
"source": {
"advisory": "GHSA-336f-wrgx-57gg",
"discovery": "UNKNOWN"
},
"title": "Xibo CMS XSS vulnerability when previewing files uploaded to the library containing HTML/JS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-43412",
"datePublished": "2024-09-03T16:52:23.643Z",
"dateReserved": "2024-08-12T18:02:04.967Z",
"dateUpdated": "2024-09-03T17:43:03.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41944 (GCVE-0-2024-41944)
Vulnerability from cvelistv5 – Published: 2024-07-30 16:24 – Updated: 2024-08-02 04:54
VLAI?
Title
Sensitive Information Disclosure abusing SQL Injection in Xibo CMS proof of play report
Summary
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `report/data/proofofplayReport` API route inside the CMS. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `sortBy` parameter. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue.
Severity ?
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
=> 2.1.0, < 3.3.12
Affected: => 4.0.0-alpha, < 4.0.14 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:2.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "3.3.12",
"status": "affected",
"version": "2.1.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "4.0.14",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41944",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-30T16:39:27.628296Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T16:39:38.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:54:31.359Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-v6q4-h869-gm3r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-v6q4-h869-gm3r"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/c60cfd8727da77b9db10297148eadd697ebec353.patch",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/c60cfd8727da77b9db10297148eadd697ebec353.patch"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-07",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-07"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "=\u003e 2.1.0, \u003c 3.3.12"
},
{
"status": "affected",
"version": "=\u003e 4.0.0-alpha, \u003c 4.0.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `report/data/proofofplayReport` API route inside the CMS. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `sortBy` parameter. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T16:24:40.398Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-v6q4-h869-gm3r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-v6q4-h869-gm3r"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/c60cfd8727da77b9db10297148eadd697ebec353.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/c60cfd8727da77b9db10297148eadd697ebec353.patch"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-07",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-07"
}
],
"source": {
"advisory": "GHSA-v6q4-h869-gm3r",
"discovery": "UNKNOWN"
},
"title": "Sensitive Information Disclosure abusing SQL Injection in Xibo CMS proof of play report"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41944",
"datePublished": "2024-07-30T16:24:40.398Z",
"dateReserved": "2024-07-24T16:51:40.947Z",
"dateUpdated": "2024-08-02T04:54:31.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41804 (GCVE-0-2024-41804)
Vulnerability from cvelistv5 – Published: 2024-07-30 15:51 – Updated: 2024-08-02 04:46
VLAI?
Title
Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Column Formula
Summary
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `formula` parameter. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue.
Severity ?
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
=> 2.1.0, < 3.3.12
Affected: => 4.0.0-alpha, < 4.0.14 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:2.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "3.3.12",
"status": "affected",
"version": "2.1.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "4.0.14",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41804",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-30T16:22:10.295843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T16:37:49.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-07",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-07"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "=\u003e 2.1.0, \u003c 3.3.12"
},
{
"status": "affected",
"version": "=\u003e 4.0.0-alpha, \u003c 4.0.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `formula` parameter. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T15:51:53.961Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-07",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-07"
}
],
"source": {
"advisory": "GHSA-4pp3-4mw7-qfwr",
"discovery": "UNKNOWN"
},
"title": "Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Column Formula"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41804",
"datePublished": "2024-07-30T15:51:53.961Z",
"dateReserved": "2024-07-22T13:57:37.135Z",
"dateUpdated": "2024-08-02T04:46:52.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41802 (GCVE-0-2024-41802)
Vulnerability from cvelistv5 – Published: 2024-07-30 15:49 – Updated: 2024-08-02 04:46
VLAI?
Title
Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Data Import
Summary
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the APIs for importing JSON and importing a Layout containing DataSet data.
Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue
Severity ?
8.1 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
=> 1.8.0, < 3.3.12
Affected: => 4.0.0-alpha, < 4.0.14 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:1.8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "3.3.12",
"status": "affected",
"version": "1.8.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "4.0.14",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41802",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-30T16:24:46.548222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T16:45:37.290Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-07",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-07"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "=\u003e 1.8.0, \u003c 3.3.12"
},
{
"status": "affected",
"version": "=\u003e 4.0.0-alpha, \u003c 4.0.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the APIs for importing JSON and importing a Layout containing DataSet data.\nUsers should upgrade to version 3.3.12 or 4.0.14 which fix this issue"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T15:49:52.120Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-07",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-07"
}
],
"source": {
"advisory": "GHSA-x4qm-vvhp-g7c2",
"discovery": "UNKNOWN"
},
"title": "Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Data Import"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41802",
"datePublished": "2024-07-30T15:49:52.120Z",
"dateReserved": "2024-07-22T13:57:37.135Z",
"dateUpdated": "2024-08-02T04:46:52.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41803 (GCVE-0-2024-41803)
Vulnerability from cvelistv5 – Published: 2024-07-30 15:49 – Updated: 2024-08-02 04:46
VLAI?
Title
Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Filter
Summary
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for viewing DataSet data. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue.
Severity ?
4.9 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
=> 2.1.0, < 3.3.12
Affected: => 4.0.0-alpha, < 4.0.14 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:2.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "3.3.12",
"status": "affected",
"version": "2.1.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "4.0.14",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41803",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-30T16:38:38.942869Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T16:38:53.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.683Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-07",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-07"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "=\u003e 2.1.0, \u003c 3.3.12"
},
{
"status": "affected",
"version": "=\u003e 4.0.0-alpha, \u003c 4.0.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for viewing DataSet data. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T15:49:51.716Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-07",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-07"
}
],
"source": {
"advisory": "GHSA-hpc5-mxfq-44hv",
"discovery": "UNKNOWN"
},
"title": "Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Filter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41803",
"datePublished": "2024-07-30T15:49:51.716Z",
"dateReserved": "2024-07-22T13:57:37.135Z",
"dateUpdated": "2024-08-02T04:46:52.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29022 (GCVE-0-2024-29022)
Vulnerability from cvelistv5 – Published: 2024-04-12 21:04 – Updated: 2024-08-02 01:03
VLAI?
Title
Session Hijacking via XSS attack in header and session grid in Xibo CMS
Summary
Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. In affected versions some request headers are not correctly sanitised when stored in the session and display tables. These headers can be used to inject a malicious script into the session page to exfiltrate session IDs and User Agents. These session IDs / User Agents can subsequently be used to hijack active sessions. A malicious script can be injected into the display grid to exfiltrate information related to displays. Users should upgrade to version 3.3.10 or 4.0.9 which fix this issue. Customers who host their CMS with the Xibo Signage service have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of security support: 2.3 patch ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff. 1.8 patch a81044e6ccdd92cc967e34c125bd8162432e51bc.diff. There are no known workarounds for this issue.
Severity ?
8.8 (High)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
>=1.8.0, < 3.3.10
Affected: >= 4.0.0, < 4.0.9 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "3.3.10",
"status": "affected",
"version": "1.8.0",
"versionType": "custom"
},
{
"lessThan": "4.0.9",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29022",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T15:17:47.008243Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T16:46:10.776Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.421Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xchw-pf2w-rpgq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xchw-pf2w-rpgq"
},
{
"name": "https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-04",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003e=1.8.0, \u003c 3.3.10"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. In affected versions some request headers are not correctly sanitised when stored in the session and display tables. These headers can be used to inject a malicious script into the session page to exfiltrate session IDs and User Agents. These session IDs / User Agents can subsequently be used to hijack active sessions. A malicious script can be injected into the display grid to exfiltrate information related to displays. Users should upgrade to version 3.3.10 or 4.0.9 which fix this issue. Customers who host their CMS with the Xibo Signage service have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of security support: 2.3 patch ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff. 1.8 patch a81044e6ccdd92cc967e34c125bd8162432e51bc.diff. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117: Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-12T21:04:23.813Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xchw-pf2w-rpgq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xchw-pf2w-rpgq"
},
{
"name": "https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-04",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-04"
}
],
"source": {
"advisory": "GHSA-xchw-pf2w-rpgq",
"discovery": "UNKNOWN"
},
"title": "Session Hijacking via XSS attack in header and session grid in Xibo CMS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29022",
"datePublished": "2024-04-12T21:04:23.813Z",
"dateReserved": "2024-03-14T16:59:47.611Z",
"dateUpdated": "2024-08-02T01:03:51.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29023 (GCVE-0-2024-29023)
Vulnerability from cvelistv5 – Published: 2024-04-12 21:00 – Updated: 2024-08-02 01:03
VLAI?
Title
Session Hijacking via token exposure on the session page in Xibo CMS
Summary
Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. Session tokens are exposed in the return of session search API call on the sessions page. Subsequently they can be exfiltrated and used to hijack a session. Users must be granted access to the session page, or be a super admin. Users should upgrade to version 3.3.10 or 4.0.9 which fix this issue. Customers who host their CMS with the Xibo Signage service have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running. Patches are available for earlier versions of Xibo CMS that are out of security support: 2.3 patch ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff. 1.8 patch a81044e6ccdd92cc967e34c125bd8162432e51bc.diff. There are no known workarounds for this vulnerability.
Severity ?
7.2 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
>= 1.8.0, < 3.3.10
Affected: >= 4.0.0, < 4.0.9 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "3.3.10",
"status": "affected",
"version": "1.8.0",
"versionType": "custom"
},
{
"lessThan": "4.0.9",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29023",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T13:17:42.679021Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T18:44:58.498Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.702Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xmc6-cfq5-hg39",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xmc6-cfq5-hg39"
},
{
"name": "https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/3b93636aa7aea07d1f7dfa36b63b773ac16d7cde",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/3b93636aa7aea07d1f7dfa36b63b773ac16d7cde"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/49f018fd9fe64fcd417d7c2ef96078bd7b2b88b7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/49f018fd9fe64fcd417d7c2ef96078bd7b2b88b7"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-04",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.8.0, \u003c 3.3.10"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. Session tokens are exposed in the return of session search API call on the sessions page. Subsequently they can be exfiltrated and used to hijack a session. Users must be granted access to the session page, or be a super admin. Users should upgrade to version 3.3.10 or 4.0.9 which fix this issue. Customers who host their CMS with the Xibo Signage service have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running. Patches are available for earlier versions of Xibo CMS that are out of security support: 2.3 patch ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff. 1.8 patch a81044e6ccdd92cc967e34c125bd8162432e51bc.diff. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-12T21:00:55.671Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xmc6-cfq5-hg39",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xmc6-cfq5-hg39"
},
{
"name": "https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/3b93636aa7aea07d1f7dfa36b63b773ac16d7cde",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/3b93636aa7aea07d1f7dfa36b63b773ac16d7cde"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/49f018fd9fe64fcd417d7c2ef96078bd7b2b88b7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/49f018fd9fe64fcd417d7c2ef96078bd7b2b88b7"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-04",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-04"
}
],
"source": {
"advisory": "GHSA-xmc6-cfq5-hg39",
"discovery": "UNKNOWN"
},
"title": "Session Hijacking via token exposure on the session page in Xibo CMS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29023",
"datePublished": "2024-04-12T21:00:55.671Z",
"dateReserved": "2024-03-14T16:59:47.611Z",
"dateUpdated": "2024-08-02T01:03:51.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33181 (GCVE-0-2023-33181)
Vulnerability from cvelistv5 – Published: 2023-05-30 20:57 – Updated: 2025-01-09 18:48
VLAI?
Title
Sensitive Information Disclosure abusing Stack Trace in Xibo CMS
Summary
Xibo is a content management system (CMS). Starting in version 3.0.0 and prior to version 3.3.5, some API routes will print a stack trace when called with missing or invalid parameters revealing sensitive information about the locations of paths that the server is using. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading.
Severity ?
4.3 (Medium)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
>= 3.0.0, < 3.3.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:39:35.745Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-c9cx-ghwr-x58m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-c9cx-ghwr-x58m"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33181",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T18:48:16.050881Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T18:48:26.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is a content management system (CMS). Starting in version 3.0.0 and prior to version 3.3.5, some API routes will print a stack trace when called with missing or invalid parameters revealing sensitive information about the locations of paths that the server is using. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-30T20:57:38.437Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-c9cx-ghwr-x58m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-c9cx-ghwr-x58m"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"source": {
"advisory": "GHSA-c9cx-ghwr-x58m",
"discovery": "UNKNOWN"
},
"title": "Sensitive Information Disclosure abusing Stack Trace in Xibo CMS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33181",
"datePublished": "2023-05-30T20:57:38.437Z",
"dateReserved": "2023-05-17T22:25:50.696Z",
"dateUpdated": "2025-01-09T18:48:26.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33180 (GCVE-0-2023-33180)
Vulnerability from cvelistv5 – Published: 2023-05-30 20:18 – Updated: 2025-01-09 21:15
VLAI?
Title
Sensitive Information Disclosure abusing SQL Injection in Xibo CMS display map
Summary
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.2 in the `/display/map` API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `bounds` parameter. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading.
Severity ?
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
>= 3.2.0, < 3.3.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:39:35.827Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33180",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T21:15:04.104699Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T21:15:34.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.2 in the `/display/map` API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `bounds` parameter. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-30T20:18:40.895Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"source": {
"advisory": "GHSA-7ww5-x9rm-qm89",
"discovery": "UNKNOWN"
},
"title": "Sensitive Information Disclosure abusing SQL Injection in Xibo CMS display map"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33180",
"datePublished": "2023-05-30T20:18:40.895Z",
"dateReserved": "2023-05-17T22:25:50.696Z",
"dateUpdated": "2025-01-09T21:15:34.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33179 (GCVE-0-2023-33179)
Vulnerability from cvelistv5 – Published: 2023-05-30 20:07 – Updated: 2025-01-09 21:16
VLAI?
Title
Sensitive Information Disclosure abusing SQL Injection in Xibo CMS nameFilter
Summary
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.5 in the `nameFilter` function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators. Users should upgrade to version 3.3.5 which fixes this issue. There are no known workarounds aside from upgrading.
Severity ?
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
>= 3.2.0, < 3.3.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:39:35.803Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T21:16:22.453820Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T21:16:43.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.5 in the `nameFilter` function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators. Users should upgrade to version 3.3.5 which fixes this issue. There are no known workarounds aside from upgrading."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-30T20:07:13.870Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"source": {
"advisory": "GHSA-jmx8-cgm4-7mf5",
"discovery": "UNKNOWN"
},
"title": "Sensitive Information Disclosure abusing SQL Injection in Xibo CMS nameFilter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33179",
"datePublished": "2023-05-30T20:07:13.870Z",
"dateReserved": "2023-05-17T22:25:50.696Z",
"dateUpdated": "2025-01-09T21:16:43.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33178 (GCVE-0-2023-33178)
Vulnerability from cvelistv5 – Published: 2023-05-30 19:55 – Updated: 2025-01-09 19:16
VLAI?
Title
Sensitive Information Disclosure abusing SQL Injection in Xibo CMS dataset filter
Summary
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `/dataset/data/{id}` API route inside the CMS starting in version 1.4.0 and prior to versions 2.3.17 and 3.3.5. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `filter` parameter. Values allowed in the filter parameter are checked against a deny list of commands that should not be allowed, however this checking was done in a case sensitive manor and so it is possible to bypass these checks by using unusual case combinations. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. There are no workarounds aside from upgrading.
Severity ?
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
>= 1.4.0, < 2.3.17
Affected: >= 3.0.0, < 3.3.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:39:35.798Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-g9x2-757j-hmhh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-g9x2-757j-hmhh"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33178",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T19:16:31.715244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T19:16:45.390Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.4.0, \u003c 2.3.17"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `/dataset/data/{id}` API route inside the CMS starting in version 1.4.0 and prior to versions 2.3.17 and 3.3.5. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `filter` parameter. Values allowed in the filter parameter are checked against a deny list of commands that should not be allowed, however this checking was done in a case sensitive manor and so it is possible to bypass these checks by using unusual case combinations. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. There are no workarounds aside from upgrading."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-30T19:55:49.496Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-g9x2-757j-hmhh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-g9x2-757j-hmhh"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"source": {
"advisory": "GHSA-g9x2-757j-hmhh",
"discovery": "UNKNOWN"
},
"title": "Sensitive Information Disclosure abusing SQL Injection in Xibo CMS dataset filter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33178",
"datePublished": "2023-05-30T19:55:49.496Z",
"dateReserved": "2023-05-17T22:25:50.696Z",
"dateUpdated": "2025-01-09T19:16:45.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33177 (GCVE-0-2023-33177)
Vulnerability from cvelistv5 – Published: 2023-05-30 19:12 – Updated: 2025-06-17 20:21
VLAI?
Title
Xibo CMS vulnerable to Remote Code Execution through Zip Slip
Summary
Xibo is a content management system (CMS). A path traversal vulnerability exists in the Xibo CMS whereby a specially crafted zip file can be uploaded to the CMS via the layout import function by an authenticated user which would allow creation of files outside of the CMS library directory as the webserver user. This can be used to upload a PHP webshell inside the web root directory and achieve remote code execution as the webserver user. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. Customers who host their CMS with Xibo Signage have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running.
Severity ?
8.8 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
>= 1.8.0, < 2.3.17
Affected: >= 3.0.0, < 3.3.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:39:35.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqv"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33177",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T21:17:24.324205Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:21:25.891Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.8.0, \u003c 2.3.17"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is a content management system (CMS). A path traversal vulnerability exists in the Xibo CMS whereby a specially crafted zip file can be uploaded to the CMS via the layout import function by an authenticated user which would allow creation of files outside of the CMS library directory as the webserver user. This can be used to upload a PHP webshell inside the web root directory and achieve remote code execution as the webserver user. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. Customers who host their CMS with Xibo Signage have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-30T19:12:01.606Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqv"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"source": {
"advisory": "GHSA-jj27-x85q-crqv",
"discovery": "UNKNOWN"
},
"title": "Xibo CMS vulnerable to Remote Code Execution through Zip Slip"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33177",
"datePublished": "2023-05-30T19:12:01.606Z",
"dateReserved": "2023-05-17T22:25:50.696Z",
"dateUpdated": "2025-06-17T20:21:25.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4888 (GCVE-0-2013-4888)
Vulnerability from cvelistv5 – Published: 2014-01-29 18:00 – Updated: 2024-08-06 16:59
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the layout parameter in the layout page.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:59:40.631Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-07-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the layout parameter in the layout page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-01-29T17:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-4888",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the layout parameter in the layout page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html",
"refsource": "MISC",
"url": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-4888",
"datePublished": "2014-01-29T18:00:00",
"dateReserved": "2013-07-22T00:00:00",
"dateUpdated": "2024-08-06T16:59:40.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4887 (GCVE-0-2013-4887)
Vulnerability from cvelistv5 – Published: 2014-01-29 18:00 – Updated: 2024-08-06 16:59
VLAI?
Summary
SQL injection vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to execute arbitrary SQL commands via the displayid parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:59:40.935Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "xibo-cve20134887-sql-injection(86777)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86777"
},
{
"name": "62071",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/62071"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-07-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to execute arbitrary SQL commands via the displayid parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "xibo-cve20134887-sql-injection(86777)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86777"
},
{
"name": "62071",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/62071"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-4887",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to execute arbitrary SQL commands via the displayid parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "xibo-cve20134887-sql-injection(86777)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86777"
},
{
"name": "62071",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/62071"
},
{
"name": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html",
"refsource": "MISC",
"url": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-4887",
"datePublished": "2014-01-29T18:00:00",
"dateReserved": "2013-07-22T00:00:00",
"dateUpdated": "2024-08-06T16:59:40.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4889 (GCVE-0-2013-4889)
Vulnerability from cvelistv5 – Published: 2014-01-29 18:00 – Updated: 2024-08-06 16:59
VLAI?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in index.php in Digital Signage Xibo 1.4.2 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new administrator via the AddUser action or (2) conduct cross-site scripting (XSS) attacks, as demonstrated by CVE-2013-4888.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:59:41.021Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-07-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in index.php in Digital Signage Xibo 1.4.2 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new administrator via the AddUser action or (2) conduct cross-site scripting (XSS) attacks, as demonstrated by CVE-2013-4888."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-01-29T17:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-4889",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in index.php in Digital Signage Xibo 1.4.2 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new administrator via the AddUser action or (2) conduct cross-site scripting (XSS) attacks, as demonstrated by CVE-2013-4888."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html",
"refsource": "MISC",
"url": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-4889",
"datePublished": "2014-01-29T18:00:00",
"dateReserved": "2013-07-22T00:00:00",
"dateUpdated": "2024-08-06T16:59:41.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-5979 (GCVE-0-2013-5979)
Vulnerability from cvelistv5 – Published: 2013-10-02 22:00 – Updated: 2024-09-16 16:32
VLAI?
Summary
Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:29:42.718Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.baesystemsdetica.com.au/Research/Advisories/Xibo-Directory-Traversal-Vulnerability-%28DS-2013-00"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.launchpad.net/xibo/+bug/1093967"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-10-02T22:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.baesystemsdetica.com.au/Research/Advisories/Xibo-Directory-Traversal-Vulnerability-%28DS-2013-00"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.launchpad.net/xibo/+bug/1093967"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-5979",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.baesystemsdetica.com.au/Research/Advisories/Xibo-Directory-Traversal-Vulnerability-(DS-2013-00",
"refsource": "MISC",
"url": "http://www.baesystemsdetica.com.au/Research/Advisories/Xibo-Directory-Traversal-Vulnerability-(DS-2013-00"
},
{
"name": "https://bugs.launchpad.net/xibo/+bug/1093967",
"refsource": "CONFIRM",
"url": "https://bugs.launchpad.net/xibo/+bug/1093967"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-5979",
"datePublished": "2013-10-02T22:00:00Z",
"dateReserved": "2013-10-02T00:00:00Z",
"dateUpdated": "2024-09-16T16:32:55.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}