Search

Find a vulnerability

Search criteria

    38 vulnerabilities found for xibo by xibosignage

    CVE-2026-31956 (GCVE-0-2026-31956)

    Vulnerability from nvd – Published: 2026-04-24 00:16 – Updated: 2026-04-24 13:08
    VLAI
    Title
    Xibo CMS has Preview and SavedReport IDOR via disableUserCheck without controller-level authorization
    Summary
    Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of the vulnerability is possible on behalf of an authorized user who has any of the following privileges: Page which shows all Layouts that have been created for the purposes of Layout Management; page which shows all Campaigns that have been created for the purposes of Campaign Management; and page which shows all Reports that have been Saved. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: < 4.4.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-31956",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-24T13:08:09.832329Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-24T13:08:17.026Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.4.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of the vulnerability is possible on behalf of an authorized user who has any of the following privileges: Page which shows all Layouts that have been created for the purposes of Layout Management; page which shows all Campaigns that have been created for the purposes of Campaign Management; and page which shows all Reports that have been Saved. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T00:16:03.413Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-q6rv-8hhj-3fr8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-q6rv-8hhj-3fr8"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1"
            }
          ],
          "source": {
            "advisory": "GHSA-q6rv-8hhj-3fr8",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo CMS has Preview and SavedReport IDOR via disableUserCheck without controller-level authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-31956",
        "datePublished": "2026-04-24T00:16:03.413Z",
        "dateReserved": "2026-03-10T15:40:10.479Z",
        "dateUpdated": "2026-04-24T13:08:17.026Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-31955 (GCVE-0-2026-31955)

    Vulnerability from nvd – Published: 2026-04-24 00:14 – Updated: 2026-04-25 01:40
    VLAI
    Title
    Xibo CMS has Authenticated Server-Side Request Forgery (SSRF) in Remote DataSet Functionality
    Summary
    Xibo is an open source digital signage platform with a web content management system and Windows display player software. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.4.1 allows users with DataSet permissions to make arbitrary HTTP requests from the CMS server to internal or external network resources. This can be exploited to scan internal infrastructure, access local cloud metadata endpoints (e.g., AWS IMDS), interact with internal services that lack authentication, or exfiltrate data. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Include "Add DataSet" button to allow for additional DataSets to be created independently to Layouts. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: < 4.4.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-31955",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-25T01:40:06.113857Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-25T01:40:15.137Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.4.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is an open source digital signage platform with a web content management system and Windows display player software. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.4.1 allows users with DataSet permissions to make arbitrary HTTP requests from the CMS server to internal or external network resources. This can be exploited to scan internal infrastructure, access local cloud metadata endpoints (e.g., AWS IMDS), interact with internal services that lack authentication, or exfiltrate data. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Include \"Add DataSet\" button to allow for additional DataSets to be created independently to Layouts. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T00:14:15.950Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-5q58-9vhx-xg2p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-5q58-9vhx-xg2p"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1"
            }
          ],
          "source": {
            "advisory": "GHSA-5q58-9vhx-xg2p",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo CMS has Authenticated Server-Side Request Forgery (SSRF) in Remote DataSet Functionality"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-31955",
        "datePublished": "2026-04-24T00:14:15.950Z",
        "dateReserved": "2026-03-10T15:10:10.658Z",
        "dateUpdated": "2026-04-25T01:40:15.137Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-31953 (GCVE-0-2026-31953)

    Vulnerability from nvd – Published: 2026-04-24 00:08 – Updated: 2026-04-24 18:18
    VLAI
    Title
    Xibo CMS has Stored XSS via Notification Body with Zero-Click Execution on Login
    Summary
    Xibo is an open source digital signage platform with a web content management system and Windows display player software. A stored Cross-Site Scripting (XSS) vulnerability in versions prior to 4.4.1 allows an authenticated user with notification creation permissions to inject arbitrary JavaScript into the notification body. When the notification is set as an "interrupt," the payload executes automatically in the browser of any targeted user upon login, requiring zero user interaction. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Access to the Notification Centre to view past notifications, and include "Add Notification" button to allow for the creation of new notifications. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: < 4.4.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-31953",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-24T17:06:13.418352Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-24T18:18:24.562Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.4.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is an open source digital signage platform with a web content management system and Windows display player software. A stored Cross-Site Scripting (XSS) vulnerability in versions prior to 4.4.1 allows an authenticated user with notification creation permissions to inject arbitrary JavaScript into the notification body. When the notification is set as an \"interrupt,\" the payload executes automatically in the browser of any targeted user upon login, requiring zero user interaction. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Access to the Notification Centre to view past notifications, and include \"Add Notification\" button to allow for the creation of new notifications. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T00:08:21.548Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-85w9-c833-q4w2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-85w9-c833-q4w2"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1"
            }
          ],
          "source": {
            "advisory": "GHSA-85w9-c833-q4w2",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo CMS has Stored XSS via Notification Body with Zero-Click Execution on Login"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-31953",
        "datePublished": "2026-04-24T00:08:21.548Z",
        "dateReserved": "2026-03-10T15:10:10.657Z",
        "dateUpdated": "2026-04-24T18:18:24.562Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-31952 (GCVE-0-2026-31952)

    Vulnerability from nvd – Published: 2026-04-24 00:05 – Updated: 2026-04-24 16:31
    VLAI
    Title
    Xibo CMS API has SQL Injection via DataSet Filter Parameter
    Summary
    Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the API filter parameter. Exploitation of the vulnerability is possible on behalf of an authorized user who has either of the `Access to DataSet Feature` privilege or the `Access to the Layout Feature` privilege. Users should upgrade to version 4.4.1 which fixes this issue. Customers who host their CMS with Xibo Signage have been patched if they are using 4.4, 4.3, 3.3, 2.3 or 1.8. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of support, namely 3.3, 2.3, and 1.8.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    • CWE-184 - Incomplete List of Disallowed Inputs
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: >= 1.7, < 4.4.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-31952",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-24T16:31:28.534964Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-24T16:31:37.061Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.7, \u003c 4.4.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the API filter parameter. Exploitation of the vulnerability is possible on behalf of an authorized user who has either of the `Access to DataSet Feature` privilege or the `Access to the Layout Feature` privilege. Users should upgrade to version 4.4.1 which fixes this issue. Customers who host their CMS with Xibo Signage have been patched if they are using 4.4, 4.3, 3.3, 2.3 or 1.8. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of support, namely 3.3, 2.3, and 1.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-184",
                  "description": "CWE-184: Incomplete List of Disallowed Inputs",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T00:05:04.782Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-rq92-f6fv-3629",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-rq92-f6fv-3629"
            },
            {
              "name": "https://github.com/dasgarner/xibo-cms/commit/b8d25fe6cb0232b645c3850afdc2499b0e46c1e6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/dasgarner/xibo-cms/commit/b8d25fe6cb0232b645c3850afdc2499b0e46c1e6"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/87e0a26b0c06e349561a6becdc00f3bb01259736",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/87e0a26b0c06e349561a6becdc00f3bb01259736"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/ed213cb4f42d4f50cf8012e01e95bb70127fc6a4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/ed213cb4f42d4f50cf8012e01e95bb70127fc6a4"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1"
            }
          ],
          "source": {
            "advisory": "GHSA-rq92-f6fv-3629",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo CMS API has SQL Injection via DataSet Filter Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-31952",
        "datePublished": "2026-04-24T00:05:04.782Z",
        "dateReserved": "2026-03-10T15:10:10.657Z",
        "dateUpdated": "2026-04-24T16:31:37.061Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-62369 (GCVE-0-2025-62369)

    Vulnerability from nvd – Published: 2025-11-04 21:18 – Updated: 2025-11-05 14:29
    VLAI
    Title
    Xibo CMS: Remote Code Execution through module templates
    Summary
    Xibo is an open source digital signage platform with a web content management system (CMS). Versions 4.3.0 and below contain a Remote Code Execution vulnerability in the CMS Developer menu's Module Templating functionality, allowing authenticated users with "System -> Add/Edit custom modules and templates" permissions to manipulate Twig filters and execute arbitrary server-side functions as the web server user. This issue is fixed in version 4.3.1. To workaround this issue, use the 4.1 and 4.2 patch commits.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    • CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: < 4.3.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62369",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-05T14:29:27.039876Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-05T14:29:33.887Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.3.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is an open source digital signage platform with a web content management system (CMS). Versions 4.3.0 and below contain a Remote Code Execution vulnerability in the CMS Developer menu\u0027s Module Templating functionality, allowing authenticated users with \"System -\u003e Add/Edit custom modules and templates\" permissions to manipulate Twig filters and execute arbitrary server-side functions as the web server user. This issue is fixed in version 4.3.1. To workaround this issue, use the 4.1 and 4.2 patch commits."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1336",
                  "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-04T21:18:38.880Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7rmm-689c-gjgv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7rmm-689c-gjgv"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/0f4e88396111ea027785a48dd8f5eeb14536bd71",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/0f4e88396111ea027785a48dd8f5eeb14536bd71"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/ecd4f9d2cea739a46756a108a839cac80f65cf10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/ecd4f9d2cea739a46756a108a839cac80f65cf10"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.3.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.3.1"
            },
            {
              "name": "https://patch-diff.githubusercontent.com/raw/xibosignage/xibo-cms/pull/3128.patch",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://patch-diff.githubusercontent.com/raw/xibosignage/xibo-cms/pull/3128.patch"
            }
          ],
          "source": {
            "advisory": "GHSA-7rmm-689c-gjgv",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo CMS: Remote Code Execution through module templates"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-62369",
        "datePublished": "2025-11-04T21:18:38.880Z",
        "dateReserved": "2025-10-10T14:22:48.204Z",
        "dateUpdated": "2025-11-05T14:29:33.887Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-43413 (GCVE-0-2024-43413)

    Vulnerability from nvd – Published: 2024-09-03 18:52 – Updated: 2024-09-03 19:28
    VLAI
    Title
    Xibo CMS XSS vulnerability using DataSet HTML columns
    Summary
    Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute JavaScript via the DataSet functionality. Users can design a DataSet with a HTML column which contains JavaScript, which is intended functionality. The JavaScript gets executed on the Data Entry page and in any Layouts which reference it. This behavior has been changed in 4.1.0 to show HTML/CSS/JS as code on the Data Entry page. There are no workarounds for this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: < 4.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-43413",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-03T19:28:33.555383Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-03T19:28:40.467Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute JavaScript via the DataSet functionality. Users can design a DataSet with a HTML column which contains JavaScript, which is intended functionality. The JavaScript gets executed on the Data Entry page and in any Layouts which reference it. This behavior has been changed in 4.1.0 to show HTML/CSS/JS as code on the Data Entry page. There are no workarounds for this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-03T18:52:27.153Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-pfxp-vxh7-2h9f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-pfxp-vxh7-2h9f"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/009527855d8bfd0ffb95f5c88ed72b7b5bdebfa1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/009527855d8bfd0ffb95f5c88ed72b7b5bdebfa1"
            }
          ],
          "source": {
            "advisory": "GHSA-pfxp-vxh7-2h9f",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo CMS XSS vulnerability using DataSet HTML columns"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-43413",
        "datePublished": "2024-09-03T18:52:27.153Z",
        "dateReserved": "2024-08-12T18:02:04.967Z",
        "dateUpdated": "2024-09-03T19:28:40.467Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-43412 (GCVE-0-2024-43412)

    Vulnerability from nvd – Published: 2024-09-03 16:52 – Updated: 2024-09-03 17:43
    VLAI
    Title
    Xibo CMS XSS vulnerability when previewing files uploaded to the library containing HTML/JS
    Summary
    Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute arbitrary JavaScript via the file preview function. Users can upload HTML/CSS/JS files into the Xibo Library via the Generic File module to be referenced on Displays and in Layouts. This is intended functionality. When previewing these resources from the Library and Layout editor they are executed in the users browser. This will be disabled in future releases, and users are encouraged to use the new developer tools in 4.1 to design their widgets which require this type of functionality. This behavior has been changed in 4.1.0 to preview previewing of generic files. There are no workarounds for this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: < 4.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-43412",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-03T17:40:46.046472Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-03T17:43:03.820Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute arbitrary JavaScript via the file preview function. Users can upload HTML/CSS/JS files into the Xibo Library via the Generic File module to be referenced on Displays and in Layouts. This is intended functionality. When previewing these resources from the Library and Layout editor they are executed in the users browser. This will be disabled in future releases, and users are encouraged to use the new developer tools in 4.1 to design their widgets which require this type of functionality. This behavior has been changed in 4.1.0 to preview previewing of generic files. There are no workarounds for this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-03T16:52:23.643Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-336f-wrgx-57gg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-336f-wrgx-57gg"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/d8f13339469d9f19ce591fb2bd7c9e0e0d2da118",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/d8f13339469d9f19ce591fb2bd7c9e0e0d2da118"
            }
          ],
          "source": {
            "advisory": "GHSA-336f-wrgx-57gg",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo CMS XSS vulnerability when previewing files uploaded to the library containing HTML/JS"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-43412",
        "datePublished": "2024-09-03T16:52:23.643Z",
        "dateReserved": "2024-08-12T18:02:04.967Z",
        "dateUpdated": "2024-09-03T17:43:03.820Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-41804 (GCVE-0-2024-41804)

    Vulnerability from nvd – Published: 2024-07-30 15:51 – Updated: 2024-08-02 04:46
    VLAI
    Title
    Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Column Formula
    Summary
    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `formula` parameter. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: => 2.1.0, < 3.3.12
    Affected: => 4.0.0-alpha, < 4.0.14
    Create a notification for this product.
    xibosignage xibo Affected: 2.1.0 , < 3.3.12 (custom)
        cpe:2.3:a:xibosignage:xibo:2.1.0:*:*:*:*:*:*:*
    Create a notification for this product.
    xibosignage xibo Affected: 4.0.0 , < 4.0.14 (custom)
        cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:xibosignage:xibo:2.1.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "xibo",
                "vendor": "xibosignage",
                "versions": [
                  {
                    "lessThan": "3.3.12",
                    "status": "affected",
                    "version": "2.1.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "xibo",
                "vendor": "xibosignage",
                "versions": [
                  {
                    "lessThan": "4.0.14",
                    "status": "affected",
                    "version": "4.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-41804",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-30T16:22:10.295843Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-30T16:37:49.859Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T04:46:52.668Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr"
              },
              {
                "name": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch"
              },
              {
                "name": "https://xibosignage.com/blog/security-advisory-2024-07",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://xibosignage.com/blog/security-advisory-2024-07"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "=\u003e 2.1.0, \u003c 3.3.12"
                },
                {
                  "status": "affected",
                  "version": "=\u003e 4.0.0-alpha, \u003c 4.0.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `formula` parameter. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-30T15:51:53.961Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch"
            },
            {
              "name": "https://xibosignage.com/blog/security-advisory-2024-07",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://xibosignage.com/blog/security-advisory-2024-07"
            }
          ],
          "source": {
            "advisory": "GHSA-4pp3-4mw7-qfwr",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Column Formula"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-41804",
        "datePublished": "2024-07-30T15:51:53.961Z",
        "dateReserved": "2024-07-22T13:57:37.135Z",
        "dateUpdated": "2024-08-02T04:46:52.668Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-41803 (GCVE-0-2024-41803)

    Vulnerability from nvd – Published: 2024-07-30 15:49 – Updated: 2024-08-02 04:46
    VLAI
    Title
    Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Filter
    Summary
    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for viewing DataSet data. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: => 2.1.0, < 3.3.12
    Affected: => 4.0.0-alpha, < 4.0.14
    Create a notification for this product.
    xibosignage xibo Affected: 2.1.0 , < 3.3.12 (custom)
        cpe:2.3:a:xibosignage:xibo:2.1.0:*:*:*:*:*:*:*
    Create a notification for this product.
    xibosignage xibo Affected: 4.0.0 , < 4.0.14 (custom)
        cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:xibosignage:xibo:2.1.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "xibo",
                "vendor": "xibosignage",
                "versions": [
                  {
                    "lessThan": "3.3.12",
                    "status": "affected",
                    "version": "2.1.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "xibo",
                "vendor": "xibosignage",
                "versions": [
                  {
                    "lessThan": "4.0.14",
                    "status": "affected",
                    "version": "4.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-41803",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-30T16:38:38.942869Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-30T16:38:53.151Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T04:46:52.683Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv"
              },
              {
                "name": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch"
              },
              {
                "name": "https://xibosignage.com/blog/security-advisory-2024-07",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://xibosignage.com/blog/security-advisory-2024-07"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "=\u003e 2.1.0, \u003c 3.3.12"
                },
                {
                  "status": "affected",
                  "version": "=\u003e 4.0.0-alpha, \u003c 4.0.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for viewing DataSet data. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-30T15:49:51.716Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch"
            },
            {
              "name": "https://xibosignage.com/blog/security-advisory-2024-07",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://xibosignage.com/blog/security-advisory-2024-07"
            }
          ],
          "source": {
            "advisory": "GHSA-hpc5-mxfq-44hv",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Filter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-41803",
        "datePublished": "2024-07-30T15:49:51.716Z",
        "dateReserved": "2024-07-22T13:57:37.135Z",
        "dateUpdated": "2024-08-02T04:46:52.683Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-41802 (GCVE-0-2024-41802)

    Vulnerability from nvd – Published: 2024-07-30 15:49 – Updated: 2024-08-02 04:46
    VLAI
    Title
    Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Data Import
    Summary
    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the APIs for importing JSON and importing a Layout containing DataSet data. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: => 1.8.0, < 3.3.12
    Affected: => 4.0.0-alpha, < 4.0.14
    Create a notification for this product.
    xibosignage xibo Affected: 1.8.0 , < 3.3.12 (custom)
        cpe:2.3:a:xibosignage:xibo:1.8.0:*:*:*:*:*:*:*
    Create a notification for this product.
    xibosignage xibo Affected: 4.0.0 , < 4.0.14 (custom)
        cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:xibosignage:xibo:1.8.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "xibo",
                "vendor": "xibosignage",
                "versions": [
                  {
                    "lessThan": "3.3.12",
                    "status": "affected",
                    "version": "1.8.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "xibo",
                "vendor": "xibosignage",
                "versions": [
                  {
                    "lessThan": "4.0.14",
                    "status": "affected",
                    "version": "4.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-41802",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-30T16:24:46.548222Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-30T16:45:37.290Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T04:46:52.692Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2"
              },
              {
                "name": "https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075"
              },
              {
                "name": "https://xibosignage.com/blog/security-advisory-2024-07",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://xibosignage.com/blog/security-advisory-2024-07"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "=\u003e 1.8.0, \u003c 3.3.12"
                },
                {
                  "status": "affected",
                  "version": "=\u003e 4.0.0-alpha, \u003c 4.0.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the APIs for importing JSON and importing a Layout containing DataSet data.\nUsers should upgrade to version 3.3.12 or 4.0.14 which fix this issue"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-30T15:49:52.120Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075"
            },
            {
              "name": "https://xibosignage.com/blog/security-advisory-2024-07",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://xibosignage.com/blog/security-advisory-2024-07"
            }
          ],
          "source": {
            "advisory": "GHSA-x4qm-vvhp-g7c2",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Data Import"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-41802",
        "datePublished": "2024-07-30T15:49:52.120Z",
        "dateReserved": "2024-07-22T13:57:37.135Z",
        "dateUpdated": "2024-08-02T04:46:52.692Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33181 (GCVE-0-2023-33181)

    Vulnerability from nvd – Published: 2023-05-30 20:57 – Updated: 2025-01-09 18:48
    VLAI
    Title
    Sensitive Information Disclosure abusing Stack Trace in Xibo CMS
    Summary
    Xibo is a content management system (CMS). Starting in version 3.0.0 and prior to version 3.3.5, some API routes will print a stack trace when called with missing or invalid parameters revealing sensitive information about the locations of paths that the server is using. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-209 - Generation of Error Message Containing Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: >= 3.0.0, < 3.3.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:39:35.745Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-c9cx-ghwr-x58m",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-c9cx-ghwr-x58m"
              },
              {
                "name": "https://claroty.com/team82/disclosure-dashboard",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard"
              },
              {
                "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33181",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T18:48:16.050881Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T18:48:26.867Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.3.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is a content management system (CMS). Starting in version 3.0.0 and prior to version 3.3.5, some API routes will print a stack trace when called with missing or invalid parameters revealing sensitive information about the locations of paths that the server is using. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-209",
                  "description": "CWE-209: Generation of Error Message Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-30T20:57:38.437Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-c9cx-ghwr-x58m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-c9cx-ghwr-x58m"
            },
            {
              "name": "https://claroty.com/team82/disclosure-dashboard",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://claroty.com/team82/disclosure-dashboard"
            },
            {
              "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
            }
          ],
          "source": {
            "advisory": "GHSA-c9cx-ghwr-x58m",
            "discovery": "UNKNOWN"
          },
          "title": "Sensitive Information Disclosure abusing Stack Trace in Xibo CMS"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-33181",
        "datePublished": "2023-05-30T20:57:38.437Z",
        "dateReserved": "2023-05-17T22:25:50.696Z",
        "dateUpdated": "2025-01-09T18:48:26.867Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33180 (GCVE-0-2023-33180)

    Vulnerability from nvd – Published: 2023-05-30 20:18 – Updated: 2025-01-09 21:15
    VLAI
    Title
    Sensitive Information Disclosure abusing SQL Injection in Xibo CMS display map
    Summary
    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.2 in the `/display/map` API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `bounds` parameter. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: >= 3.2.0, < 3.3.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:39:35.827Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89"
              },
              {
                "name": "https://claroty.com/team82/disclosure-dashboard",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard"
              },
              {
                "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33180",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T21:15:04.104699Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T21:15:34.741Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.2.0, \u003c 3.3.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.2 in the `/display/map` API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `bounds` parameter. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-30T20:18:40.895Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89"
            },
            {
              "name": "https://claroty.com/team82/disclosure-dashboard",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://claroty.com/team82/disclosure-dashboard"
            },
            {
              "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
            }
          ],
          "source": {
            "advisory": "GHSA-7ww5-x9rm-qm89",
            "discovery": "UNKNOWN"
          },
          "title": "Sensitive Information Disclosure abusing SQL Injection in Xibo CMS display map"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-33180",
        "datePublished": "2023-05-30T20:18:40.895Z",
        "dateReserved": "2023-05-17T22:25:50.696Z",
        "dateUpdated": "2025-01-09T21:15:34.741Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33179 (GCVE-0-2023-33179)

    Vulnerability from nvd – Published: 2023-05-30 20:07 – Updated: 2025-01-09 21:16
    VLAI
    Title
    Sensitive Information Disclosure abusing SQL Injection in Xibo CMS nameFilter
    Summary
    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.5 in the `nameFilter` function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators. Users should upgrade to version 3.3.5 which fixes this issue. There are no known workarounds aside from upgrading.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: >= 3.2.0, < 3.3.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:39:35.803Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5"
              },
              {
                "name": "https://claroty.com/team82/disclosure-dashboard",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard"
              },
              {
                "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33179",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T21:16:22.453820Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T21:16:43.284Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.2.0, \u003c 3.3.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.5 in the `nameFilter` function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators. Users should upgrade to version 3.3.5 which fixes this issue. There are no known workarounds aside from upgrading."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-30T20:07:13.870Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5"
            },
            {
              "name": "https://claroty.com/team82/disclosure-dashboard",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://claroty.com/team82/disclosure-dashboard"
            },
            {
              "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
            }
          ],
          "source": {
            "advisory": "GHSA-jmx8-cgm4-7mf5",
            "discovery": "UNKNOWN"
          },
          "title": "Sensitive Information Disclosure abusing SQL Injection in Xibo CMS nameFilter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-33179",
        "datePublished": "2023-05-30T20:07:13.870Z",
        "dateReserved": "2023-05-17T22:25:50.696Z",
        "dateUpdated": "2025-01-09T21:16:43.284Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33178 (GCVE-0-2023-33178)

    Vulnerability from nvd – Published: 2023-05-30 19:55 – Updated: 2025-01-09 19:16
    VLAI
    Title
    Sensitive Information Disclosure abusing SQL Injection in Xibo CMS dataset filter
    Summary
    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `/dataset/data/{id}` API route inside the CMS starting in version 1.4.0 and prior to versions 2.3.17 and 3.3.5. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `filter` parameter. Values allowed in the filter parameter are checked against a deny list of commands that should not be allowed, however this checking was done in a case sensitive manor and so it is possible to bypass these checks by using unusual case combinations. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. There are no workarounds aside from upgrading.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: >= 1.4.0, < 2.3.17
    Affected: >= 3.0.0, < 3.3.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:39:35.798Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-g9x2-757j-hmhh",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-g9x2-757j-hmhh"
              },
              {
                "name": "https://claroty.com/team82/disclosure-dashboard",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard"
              },
              {
                "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33178",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T19:16:31.715244Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T19:16:45.390Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.4.0, \u003c 2.3.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.3.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `/dataset/data/{id}` API route inside the CMS starting in version 1.4.0 and prior to versions 2.3.17 and 3.3.5. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `filter` parameter. Values allowed in the filter parameter are checked against a deny list of commands that should not be allowed, however this checking was done in a case sensitive manor and so it is possible to bypass these checks by using unusual case combinations. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. There are no workarounds aside from upgrading."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-30T19:55:49.496Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-g9x2-757j-hmhh",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-g9x2-757j-hmhh"
            },
            {
              "name": "https://claroty.com/team82/disclosure-dashboard",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://claroty.com/team82/disclosure-dashboard"
            },
            {
              "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
            }
          ],
          "source": {
            "advisory": "GHSA-g9x2-757j-hmhh",
            "discovery": "UNKNOWN"
          },
          "title": "Sensitive Information Disclosure abusing SQL Injection in Xibo CMS dataset filter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-33178",
        "datePublished": "2023-05-30T19:55:49.496Z",
        "dateReserved": "2023-05-17T22:25:50.696Z",
        "dateUpdated": "2025-01-09T19:16:45.390Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33177 (GCVE-0-2023-33177)

    Vulnerability from nvd – Published: 2023-05-30 19:12 – Updated: 2025-06-17 20:21
    VLAI KEVIntel
    Title
    Xibo CMS vulnerable to Remote Code Execution through Zip Slip
    Summary
    Xibo is a content management system (CMS). A path traversal vulnerability exists in the Xibo CMS whereby a specially crafted zip file can be uploaded to the CMS via the layout import function by an authenticated user which would allow creation of files outside of the CMS library directory as the webserver user. This can be used to upload a PHP webshell inside the web root directory and achieve remote code execution as the webserver user. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. Customers who host their CMS with Xibo Signage have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: >= 1.8.0, < 2.3.17
    Affected: >= 3.0.0, < 3.3.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:39:35.620Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqv",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqv"
              },
              {
                "name": "https://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658"
              },
              {
                "name": "https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9"
              },
              {
                "name": "https://claroty.com/team82/disclosure-dashboard",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard"
              },
              {
                "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33177",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T21:17:24.324205Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T20:21:25.891Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.8.0, \u003c 2.3.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.3.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is a content management system (CMS). A path traversal vulnerability exists in the Xibo CMS whereby a specially crafted zip file can be uploaded to the CMS via the layout import function by an authenticated user which would allow creation of files outside of the CMS library directory as the webserver user. This can be used to upload a PHP webshell inside the web root directory and achieve remote code execution as the webserver user. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. Customers who host their CMS with Xibo Signage have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-30T19:12:01.606Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqv"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9"
            },
            {
              "name": "https://claroty.com/team82/disclosure-dashboard",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://claroty.com/team82/disclosure-dashboard"
            },
            {
              "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
            }
          ],
          "source": {
            "advisory": "GHSA-jj27-x85q-crqv",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo CMS vulnerable to Remote Code Execution through Zip Slip"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-33177",
        "datePublished": "2023-05-30T19:12:01.606Z",
        "dateReserved": "2023-05-17T22:25:50.696Z",
        "dateUpdated": "2025-06-17T20:21:25.891Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-31956 (GCVE-0-2026-31956)

    Vulnerability from cvelistv5 – Published: 2026-04-24 00:16 – Updated: 2026-04-24 13:08
    VLAI
    Title
    Xibo CMS has Preview and SavedReport IDOR via disableUserCheck without controller-level authorization
    Summary
    Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of the vulnerability is possible on behalf of an authorized user who has any of the following privileges: Page which shows all Layouts that have been created for the purposes of Layout Management; page which shows all Campaigns that have been created for the purposes of Campaign Management; and page which shows all Reports that have been Saved. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: < 4.4.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-31956",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-24T13:08:09.832329Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-24T13:08:17.026Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.4.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of the vulnerability is possible on behalf of an authorized user who has any of the following privileges: Page which shows all Layouts that have been created for the purposes of Layout Management; page which shows all Campaigns that have been created for the purposes of Campaign Management; and page which shows all Reports that have been Saved. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T00:16:03.413Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-q6rv-8hhj-3fr8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-q6rv-8hhj-3fr8"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1"
            }
          ],
          "source": {
            "advisory": "GHSA-q6rv-8hhj-3fr8",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo CMS has Preview and SavedReport IDOR via disableUserCheck without controller-level authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-31956",
        "datePublished": "2026-04-24T00:16:03.413Z",
        "dateReserved": "2026-03-10T15:40:10.479Z",
        "dateUpdated": "2026-04-24T13:08:17.026Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-31955 (GCVE-0-2026-31955)

    Vulnerability from cvelistv5 – Published: 2026-04-24 00:14 – Updated: 2026-04-25 01:40
    VLAI
    Title
    Xibo CMS has Authenticated Server-Side Request Forgery (SSRF) in Remote DataSet Functionality
    Summary
    Xibo is an open source digital signage platform with a web content management system and Windows display player software. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.4.1 allows users with DataSet permissions to make arbitrary HTTP requests from the CMS server to internal or external network resources. This can be exploited to scan internal infrastructure, access local cloud metadata endpoints (e.g., AWS IMDS), interact with internal services that lack authentication, or exfiltrate data. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Include "Add DataSet" button to allow for additional DataSets to be created independently to Layouts. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: < 4.4.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-31955",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-25T01:40:06.113857Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-25T01:40:15.137Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.4.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is an open source digital signage platform with a web content management system and Windows display player software. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.4.1 allows users with DataSet permissions to make arbitrary HTTP requests from the CMS server to internal or external network resources. This can be exploited to scan internal infrastructure, access local cloud metadata endpoints (e.g., AWS IMDS), interact with internal services that lack authentication, or exfiltrate data. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Include \"Add DataSet\" button to allow for additional DataSets to be created independently to Layouts. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T00:14:15.950Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-5q58-9vhx-xg2p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-5q58-9vhx-xg2p"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1"
            }
          ],
          "source": {
            "advisory": "GHSA-5q58-9vhx-xg2p",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo CMS has Authenticated Server-Side Request Forgery (SSRF) in Remote DataSet Functionality"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-31955",
        "datePublished": "2026-04-24T00:14:15.950Z",
        "dateReserved": "2026-03-10T15:10:10.658Z",
        "dateUpdated": "2026-04-25T01:40:15.137Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-31953 (GCVE-0-2026-31953)

    Vulnerability from cvelistv5 – Published: 2026-04-24 00:08 – Updated: 2026-04-24 18:18
    VLAI
    Title
    Xibo CMS has Stored XSS via Notification Body with Zero-Click Execution on Login
    Summary
    Xibo is an open source digital signage platform with a web content management system and Windows display player software. A stored Cross-Site Scripting (XSS) vulnerability in versions prior to 4.4.1 allows an authenticated user with notification creation permissions to inject arbitrary JavaScript into the notification body. When the notification is set as an "interrupt," the payload executes automatically in the browser of any targeted user upon login, requiring zero user interaction. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Access to the Notification Centre to view past notifications, and include "Add Notification" button to allow for the creation of new notifications. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: < 4.4.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-31953",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-24T17:06:13.418352Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-24T18:18:24.562Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.4.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is an open source digital signage platform with a web content management system and Windows display player software. A stored Cross-Site Scripting (XSS) vulnerability in versions prior to 4.4.1 allows an authenticated user with notification creation permissions to inject arbitrary JavaScript into the notification body. When the notification is set as an \"interrupt,\" the payload executes automatically in the browser of any targeted user upon login, requiring zero user interaction. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Access to the Notification Centre to view past notifications, and include \"Add Notification\" button to allow for the creation of new notifications. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T00:08:21.548Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-85w9-c833-q4w2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-85w9-c833-q4w2"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1"
            }
          ],
          "source": {
            "advisory": "GHSA-85w9-c833-q4w2",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo CMS has Stored XSS via Notification Body with Zero-Click Execution on Login"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-31953",
        "datePublished": "2026-04-24T00:08:21.548Z",
        "dateReserved": "2026-03-10T15:10:10.657Z",
        "dateUpdated": "2026-04-24T18:18:24.562Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-31952 (GCVE-0-2026-31952)

    Vulnerability from cvelistv5 – Published: 2026-04-24 00:05 – Updated: 2026-04-24 16:31
    VLAI
    Title
    Xibo CMS API has SQL Injection via DataSet Filter Parameter
    Summary
    Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the API filter parameter. Exploitation of the vulnerability is possible on behalf of an authorized user who has either of the `Access to DataSet Feature` privilege or the `Access to the Layout Feature` privilege. Users should upgrade to version 4.4.1 which fixes this issue. Customers who host their CMS with Xibo Signage have been patched if they are using 4.4, 4.3, 3.3, 2.3 or 1.8. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of support, namely 3.3, 2.3, and 1.8.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    • CWE-184 - Incomplete List of Disallowed Inputs
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: >= 1.7, < 4.4.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-31952",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-24T16:31:28.534964Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-24T16:31:37.061Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.7, \u003c 4.4.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the API filter parameter. Exploitation of the vulnerability is possible on behalf of an authorized user who has either of the `Access to DataSet Feature` privilege or the `Access to the Layout Feature` privilege. Users should upgrade to version 4.4.1 which fixes this issue. Customers who host their CMS with Xibo Signage have been patched if they are using 4.4, 4.3, 3.3, 2.3 or 1.8. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of support, namely 3.3, 2.3, and 1.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-184",
                  "description": "CWE-184: Incomplete List of Disallowed Inputs",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T00:05:04.782Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-rq92-f6fv-3629",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-rq92-f6fv-3629"
            },
            {
              "name": "https://github.com/dasgarner/xibo-cms/commit/b8d25fe6cb0232b645c3850afdc2499b0e46c1e6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/dasgarner/xibo-cms/commit/b8d25fe6cb0232b645c3850afdc2499b0e46c1e6"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/87e0a26b0c06e349561a6becdc00f3bb01259736",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/87e0a26b0c06e349561a6becdc00f3bb01259736"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/ed213cb4f42d4f50cf8012e01e95bb70127fc6a4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/ed213cb4f42d4f50cf8012e01e95bb70127fc6a4"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1"
            }
          ],
          "source": {
            "advisory": "GHSA-rq92-f6fv-3629",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo CMS API has SQL Injection via DataSet Filter Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-31952",
        "datePublished": "2026-04-24T00:05:04.782Z",
        "dateReserved": "2026-03-10T15:10:10.657Z",
        "dateUpdated": "2026-04-24T16:31:37.061Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-62369 (GCVE-0-2025-62369)

    Vulnerability from cvelistv5 – Published: 2025-11-04 21:18 – Updated: 2025-11-05 14:29
    VLAI
    Title
    Xibo CMS: Remote Code Execution through module templates
    Summary
    Xibo is an open source digital signage platform with a web content management system (CMS). Versions 4.3.0 and below contain a Remote Code Execution vulnerability in the CMS Developer menu's Module Templating functionality, allowing authenticated users with "System -> Add/Edit custom modules and templates" permissions to manipulate Twig filters and execute arbitrary server-side functions as the web server user. This issue is fixed in version 4.3.1. To workaround this issue, use the 4.1 and 4.2 patch commits.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    • CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: < 4.3.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-62369",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-05T14:29:27.039876Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-05T14:29:33.887Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.3.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is an open source digital signage platform with a web content management system (CMS). Versions 4.3.0 and below contain a Remote Code Execution vulnerability in the CMS Developer menu\u0027s Module Templating functionality, allowing authenticated users with \"System -\u003e Add/Edit custom modules and templates\" permissions to manipulate Twig filters and execute arbitrary server-side functions as the web server user. This issue is fixed in version 4.3.1. To workaround this issue, use the 4.1 and 4.2 patch commits."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1336",
                  "description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-04T21:18:38.880Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7rmm-689c-gjgv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7rmm-689c-gjgv"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/0f4e88396111ea027785a48dd8f5eeb14536bd71",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/0f4e88396111ea027785a48dd8f5eeb14536bd71"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/ecd4f9d2cea739a46756a108a839cac80f65cf10",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/ecd4f9d2cea739a46756a108a839cac80f65cf10"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.3.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.3.1"
            },
            {
              "name": "https://patch-diff.githubusercontent.com/raw/xibosignage/xibo-cms/pull/3128.patch",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://patch-diff.githubusercontent.com/raw/xibosignage/xibo-cms/pull/3128.patch"
            }
          ],
          "source": {
            "advisory": "GHSA-7rmm-689c-gjgv",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo CMS: Remote Code Execution through module templates"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-62369",
        "datePublished": "2025-11-04T21:18:38.880Z",
        "dateReserved": "2025-10-10T14:22:48.204Z",
        "dateUpdated": "2025-11-05T14:29:33.887Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-43413 (GCVE-0-2024-43413)

    Vulnerability from cvelistv5 – Published: 2024-09-03 18:52 – Updated: 2024-09-03 19:28
    VLAI
    Title
    Xibo CMS XSS vulnerability using DataSet HTML columns
    Summary
    Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute JavaScript via the DataSet functionality. Users can design a DataSet with a HTML column which contains JavaScript, which is intended functionality. The JavaScript gets executed on the Data Entry page and in any Layouts which reference it. This behavior has been changed in 4.1.0 to show HTML/CSS/JS as code on the Data Entry page. There are no workarounds for this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: < 4.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-43413",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-03T19:28:33.555383Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-03T19:28:40.467Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute JavaScript via the DataSet functionality. Users can design a DataSet with a HTML column which contains JavaScript, which is intended functionality. The JavaScript gets executed on the Data Entry page and in any Layouts which reference it. This behavior has been changed in 4.1.0 to show HTML/CSS/JS as code on the Data Entry page. There are no workarounds for this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-03T18:52:27.153Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-pfxp-vxh7-2h9f",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-pfxp-vxh7-2h9f"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/009527855d8bfd0ffb95f5c88ed72b7b5bdebfa1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/009527855d8bfd0ffb95f5c88ed72b7b5bdebfa1"
            }
          ],
          "source": {
            "advisory": "GHSA-pfxp-vxh7-2h9f",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo CMS XSS vulnerability using DataSet HTML columns"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-43413",
        "datePublished": "2024-09-03T18:52:27.153Z",
        "dateReserved": "2024-08-12T18:02:04.967Z",
        "dateUpdated": "2024-09-03T19:28:40.467Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-43412 (GCVE-0-2024-43412)

    Vulnerability from cvelistv5 – Published: 2024-09-03 16:52 – Updated: 2024-09-03 17:43
    VLAI
    Title
    Xibo CMS XSS vulnerability when previewing files uploaded to the library containing HTML/JS
    Summary
    Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute arbitrary JavaScript via the file preview function. Users can upload HTML/CSS/JS files into the Xibo Library via the Generic File module to be referenced on Displays and in Layouts. This is intended functionality. When previewing these resources from the Library and Layout editor they are executed in the users browser. This will be disabled in future releases, and users are encouraged to use the new developer tools in 4.1 to design their widgets which require this type of functionality. This behavior has been changed in 4.1.0 to preview previewing of generic files. There are no workarounds for this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: < 4.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-43412",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-03T17:40:46.046472Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-03T17:43:03.820Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 4.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute arbitrary JavaScript via the file preview function. Users can upload HTML/CSS/JS files into the Xibo Library via the Generic File module to be referenced on Displays and in Layouts. This is intended functionality. When previewing these resources from the Library and Layout editor they are executed in the users browser. This will be disabled in future releases, and users are encouraged to use the new developer tools in 4.1 to design their widgets which require this type of functionality. This behavior has been changed in 4.1.0 to preview previewing of generic files. There are no workarounds for this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.6,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-03T16:52:23.643Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-336f-wrgx-57gg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-336f-wrgx-57gg"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/d8f13339469d9f19ce591fb2bd7c9e0e0d2da118",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/d8f13339469d9f19ce591fb2bd7c9e0e0d2da118"
            }
          ],
          "source": {
            "advisory": "GHSA-336f-wrgx-57gg",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo CMS XSS vulnerability when previewing files uploaded to the library containing HTML/JS"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-43412",
        "datePublished": "2024-09-03T16:52:23.643Z",
        "dateReserved": "2024-08-12T18:02:04.967Z",
        "dateUpdated": "2024-09-03T17:43:03.820Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-41804 (GCVE-0-2024-41804)

    Vulnerability from cvelistv5 – Published: 2024-07-30 15:51 – Updated: 2024-08-02 04:46
    VLAI
    Title
    Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Column Formula
    Summary
    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `formula` parameter. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: => 2.1.0, < 3.3.12
    Affected: => 4.0.0-alpha, < 4.0.14
    Create a notification for this product.
    xibosignage xibo Affected: 2.1.0 , < 3.3.12 (custom)
        cpe:2.3:a:xibosignage:xibo:2.1.0:*:*:*:*:*:*:*
    Create a notification for this product.
    xibosignage xibo Affected: 4.0.0 , < 4.0.14 (custom)
        cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:xibosignage:xibo:2.1.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "xibo",
                "vendor": "xibosignage",
                "versions": [
                  {
                    "lessThan": "3.3.12",
                    "status": "affected",
                    "version": "2.1.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "xibo",
                "vendor": "xibosignage",
                "versions": [
                  {
                    "lessThan": "4.0.14",
                    "status": "affected",
                    "version": "4.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-41804",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-30T16:22:10.295843Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-30T16:37:49.859Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T04:46:52.668Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr"
              },
              {
                "name": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch"
              },
              {
                "name": "https://xibosignage.com/blog/security-advisory-2024-07",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://xibosignage.com/blog/security-advisory-2024-07"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "=\u003e 2.1.0, \u003c 3.3.12"
                },
                {
                  "status": "affected",
                  "version": "=\u003e 4.0.0-alpha, \u003c 4.0.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `formula` parameter. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-30T15:51:53.961Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch"
            },
            {
              "name": "https://xibosignage.com/blog/security-advisory-2024-07",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://xibosignage.com/blog/security-advisory-2024-07"
            }
          ],
          "source": {
            "advisory": "GHSA-4pp3-4mw7-qfwr",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Column Formula"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-41804",
        "datePublished": "2024-07-30T15:51:53.961Z",
        "dateReserved": "2024-07-22T13:57:37.135Z",
        "dateUpdated": "2024-08-02T04:46:52.668Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-41802 (GCVE-0-2024-41802)

    Vulnerability from cvelistv5 – Published: 2024-07-30 15:49 – Updated: 2024-08-02 04:46
    VLAI
    Title
    Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Data Import
    Summary
    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the APIs for importing JSON and importing a Layout containing DataSet data. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: => 1.8.0, < 3.3.12
    Affected: => 4.0.0-alpha, < 4.0.14
    Create a notification for this product.
    xibosignage xibo Affected: 1.8.0 , < 3.3.12 (custom)
        cpe:2.3:a:xibosignage:xibo:1.8.0:*:*:*:*:*:*:*
    Create a notification for this product.
    xibosignage xibo Affected: 4.0.0 , < 4.0.14 (custom)
        cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:xibosignage:xibo:1.8.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "xibo",
                "vendor": "xibosignage",
                "versions": [
                  {
                    "lessThan": "3.3.12",
                    "status": "affected",
                    "version": "1.8.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "xibo",
                "vendor": "xibosignage",
                "versions": [
                  {
                    "lessThan": "4.0.14",
                    "status": "affected",
                    "version": "4.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-41802",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-30T16:24:46.548222Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-30T16:45:37.290Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T04:46:52.692Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2"
              },
              {
                "name": "https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075"
              },
              {
                "name": "https://xibosignage.com/blog/security-advisory-2024-07",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://xibosignage.com/blog/security-advisory-2024-07"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "=\u003e 1.8.0, \u003c 3.3.12"
                },
                {
                  "status": "affected",
                  "version": "=\u003e 4.0.0-alpha, \u003c 4.0.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the APIs for importing JSON and importing a Layout containing DataSet data.\nUsers should upgrade to version 3.3.12 or 4.0.14 which fix this issue"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-30T15:49:52.120Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075"
            },
            {
              "name": "https://xibosignage.com/blog/security-advisory-2024-07",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://xibosignage.com/blog/security-advisory-2024-07"
            }
          ],
          "source": {
            "advisory": "GHSA-x4qm-vvhp-g7c2",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Data Import"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-41802",
        "datePublished": "2024-07-30T15:49:52.120Z",
        "dateReserved": "2024-07-22T13:57:37.135Z",
        "dateUpdated": "2024-08-02T04:46:52.692Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-41803 (GCVE-0-2024-41803)

    Vulnerability from cvelistv5 – Published: 2024-07-30 15:49 – Updated: 2024-08-02 04:46
    VLAI
    Title
    Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Filter
    Summary
    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for viewing DataSet data. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: => 2.1.0, < 3.3.12
    Affected: => 4.0.0-alpha, < 4.0.14
    Create a notification for this product.
    xibosignage xibo Affected: 2.1.0 , < 3.3.12 (custom)
        cpe:2.3:a:xibosignage:xibo:2.1.0:*:*:*:*:*:*:*
    Create a notification for this product.
    xibosignage xibo Affected: 4.0.0 , < 4.0.14 (custom)
        cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:xibosignage:xibo:2.1.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "xibo",
                "vendor": "xibosignage",
                "versions": [
                  {
                    "lessThan": "3.3.12",
                    "status": "affected",
                    "version": "2.1.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "xibo",
                "vendor": "xibosignage",
                "versions": [
                  {
                    "lessThan": "4.0.14",
                    "status": "affected",
                    "version": "4.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-41803",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-30T16:38:38.942869Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-30T16:38:53.151Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T04:46:52.683Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv"
              },
              {
                "name": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch"
              },
              {
                "name": "https://xibosignage.com/blog/security-advisory-2024-07",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://xibosignage.com/blog/security-advisory-2024-07"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "=\u003e 2.1.0, \u003c 3.3.12"
                },
                {
                  "status": "affected",
                  "version": "=\u003e 4.0.0-alpha, \u003c 4.0.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for viewing DataSet data. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-30T15:49:51.716Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch"
            },
            {
              "name": "https://xibosignage.com/blog/security-advisory-2024-07",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://xibosignage.com/blog/security-advisory-2024-07"
            }
          ],
          "source": {
            "advisory": "GHSA-hpc5-mxfq-44hv",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Filter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-41803",
        "datePublished": "2024-07-30T15:49:51.716Z",
        "dateReserved": "2024-07-22T13:57:37.135Z",
        "dateUpdated": "2024-08-02T04:46:52.683Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33181 (GCVE-0-2023-33181)

    Vulnerability from cvelistv5 – Published: 2023-05-30 20:57 – Updated: 2025-01-09 18:48
    VLAI
    Title
    Sensitive Information Disclosure abusing Stack Trace in Xibo CMS
    Summary
    Xibo is a content management system (CMS). Starting in version 3.0.0 and prior to version 3.3.5, some API routes will print a stack trace when called with missing or invalid parameters revealing sensitive information about the locations of paths that the server is using. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-209 - Generation of Error Message Containing Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: >= 3.0.0, < 3.3.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:39:35.745Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-c9cx-ghwr-x58m",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-c9cx-ghwr-x58m"
              },
              {
                "name": "https://claroty.com/team82/disclosure-dashboard",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard"
              },
              {
                "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33181",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T18:48:16.050881Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T18:48:26.867Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.3.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is a content management system (CMS). Starting in version 3.0.0 and prior to version 3.3.5, some API routes will print a stack trace when called with missing or invalid parameters revealing sensitive information about the locations of paths that the server is using. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-209",
                  "description": "CWE-209: Generation of Error Message Containing Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-30T20:57:38.437Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-c9cx-ghwr-x58m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-c9cx-ghwr-x58m"
            },
            {
              "name": "https://claroty.com/team82/disclosure-dashboard",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://claroty.com/team82/disclosure-dashboard"
            },
            {
              "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
            }
          ],
          "source": {
            "advisory": "GHSA-c9cx-ghwr-x58m",
            "discovery": "UNKNOWN"
          },
          "title": "Sensitive Information Disclosure abusing Stack Trace in Xibo CMS"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-33181",
        "datePublished": "2023-05-30T20:57:38.437Z",
        "dateReserved": "2023-05-17T22:25:50.696Z",
        "dateUpdated": "2025-01-09T18:48:26.867Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33180 (GCVE-0-2023-33180)

    Vulnerability from cvelistv5 – Published: 2023-05-30 20:18 – Updated: 2025-01-09 21:15
    VLAI
    Title
    Sensitive Information Disclosure abusing SQL Injection in Xibo CMS display map
    Summary
    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.2 in the `/display/map` API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `bounds` parameter. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: >= 3.2.0, < 3.3.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:39:35.827Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89"
              },
              {
                "name": "https://claroty.com/team82/disclosure-dashboard",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard"
              },
              {
                "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33180",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T21:15:04.104699Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T21:15:34.741Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.2.0, \u003c 3.3.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.2 in the `/display/map` API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `bounds` parameter. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-30T20:18:40.895Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89"
            },
            {
              "name": "https://claroty.com/team82/disclosure-dashboard",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://claroty.com/team82/disclosure-dashboard"
            },
            {
              "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
            }
          ],
          "source": {
            "advisory": "GHSA-7ww5-x9rm-qm89",
            "discovery": "UNKNOWN"
          },
          "title": "Sensitive Information Disclosure abusing SQL Injection in Xibo CMS display map"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-33180",
        "datePublished": "2023-05-30T20:18:40.895Z",
        "dateReserved": "2023-05-17T22:25:50.696Z",
        "dateUpdated": "2025-01-09T21:15:34.741Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33179 (GCVE-0-2023-33179)

    Vulnerability from cvelistv5 – Published: 2023-05-30 20:07 – Updated: 2025-01-09 21:16
    VLAI
    Title
    Sensitive Information Disclosure abusing SQL Injection in Xibo CMS nameFilter
    Summary
    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.5 in the `nameFilter` function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators. Users should upgrade to version 3.3.5 which fixes this issue. There are no known workarounds aside from upgrading.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: >= 3.2.0, < 3.3.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:39:35.803Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5"
              },
              {
                "name": "https://claroty.com/team82/disclosure-dashboard",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard"
              },
              {
                "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33179",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T21:16:22.453820Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T21:16:43.284Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.2.0, \u003c 3.3.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.5 in the `nameFilter` function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators. Users should upgrade to version 3.3.5 which fixes this issue. There are no known workarounds aside from upgrading."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-30T20:07:13.870Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5"
            },
            {
              "name": "https://claroty.com/team82/disclosure-dashboard",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://claroty.com/team82/disclosure-dashboard"
            },
            {
              "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
            }
          ],
          "source": {
            "advisory": "GHSA-jmx8-cgm4-7mf5",
            "discovery": "UNKNOWN"
          },
          "title": "Sensitive Information Disclosure abusing SQL Injection in Xibo CMS nameFilter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-33179",
        "datePublished": "2023-05-30T20:07:13.870Z",
        "dateReserved": "2023-05-17T22:25:50.696Z",
        "dateUpdated": "2025-01-09T21:16:43.284Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33178 (GCVE-0-2023-33178)

    Vulnerability from cvelistv5 – Published: 2023-05-30 19:55 – Updated: 2025-01-09 19:16
    VLAI
    Title
    Sensitive Information Disclosure abusing SQL Injection in Xibo CMS dataset filter
    Summary
    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `/dataset/data/{id}` API route inside the CMS starting in version 1.4.0 and prior to versions 2.3.17 and 3.3.5. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `filter` parameter. Values allowed in the filter parameter are checked against a deny list of commands that should not be allowed, however this checking was done in a case sensitive manor and so it is possible to bypass these checks by using unusual case combinations. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. There are no workarounds aside from upgrading.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: >= 1.4.0, < 2.3.17
    Affected: >= 3.0.0, < 3.3.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:39:35.798Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-g9x2-757j-hmhh",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-g9x2-757j-hmhh"
              },
              {
                "name": "https://claroty.com/team82/disclosure-dashboard",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard"
              },
              {
                "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33178",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T19:16:31.715244Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-09T19:16:45.390Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.4.0, \u003c 2.3.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.3.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `/dataset/data/{id}` API route inside the CMS starting in version 1.4.0 and prior to versions 2.3.17 and 3.3.5. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `filter` parameter. Values allowed in the filter parameter are checked against a deny list of commands that should not be allowed, however this checking was done in a case sensitive manor and so it is possible to bypass these checks by using unusual case combinations. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. There are no workarounds aside from upgrading."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-30T19:55:49.496Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-g9x2-757j-hmhh",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-g9x2-757j-hmhh"
            },
            {
              "name": "https://claroty.com/team82/disclosure-dashboard",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://claroty.com/team82/disclosure-dashboard"
            },
            {
              "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
            }
          ],
          "source": {
            "advisory": "GHSA-g9x2-757j-hmhh",
            "discovery": "UNKNOWN"
          },
          "title": "Sensitive Information Disclosure abusing SQL Injection in Xibo CMS dataset filter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-33178",
        "datePublished": "2023-05-30T19:55:49.496Z",
        "dateReserved": "2023-05-17T22:25:50.696Z",
        "dateUpdated": "2025-01-09T19:16:45.390Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-33177 (GCVE-0-2023-33177)

    Vulnerability from cvelistv5 – Published: 2023-05-30 19:12 – Updated: 2025-06-17 20:21
    VLAI KEVIntel
    Title
    Xibo CMS vulnerable to Remote Code Execution through Zip Slip
    Summary
    Xibo is a content management system (CMS). A path traversal vulnerability exists in the Xibo CMS whereby a specially crafted zip file can be uploaded to the CMS via the layout import function by an authenticated user which would allow creation of files outside of the CMS library directory as the webserver user. This can be used to upload a PHP webshell inside the web root directory and achieve remote code execution as the webserver user. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. Customers who host their CMS with Xibo Signage have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    xibosignage xibo-cms Affected: >= 1.8.0, < 2.3.17
    Affected: >= 3.0.0, < 3.3.5
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:39:35.620Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqv",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqv"
              },
              {
                "name": "https://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658"
              },
              {
                "name": "https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9"
              },
              {
                "name": "https://claroty.com/team82/disclosure-dashboard",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://claroty.com/team82/disclosure-dashboard"
              },
              {
                "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-33177",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-09T21:17:24.324205Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T20:21:25.891Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "xibo-cms",
              "vendor": "xibosignage",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 1.8.0, \u003c 2.3.17"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.3.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Xibo is a content management system (CMS). A path traversal vulnerability exists in the Xibo CMS whereby a specially crafted zip file can be uploaded to the CMS via the layout import function by an authenticated user which would allow creation of files outside of the CMS library directory as the webserver user. This can be used to upload a PHP webshell inside the web root directory and achieve remote code execution as the webserver user. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. Customers who host their CMS with Xibo Signage have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-30T19:12:01.606Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqv"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658"
            },
            {
              "name": "https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9"
            },
            {
              "name": "https://claroty.com/team82/disclosure-dashboard",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://claroty.com/team82/disclosure-dashboard"
            },
            {
              "name": "https://xibosignage.com/blog/security-advisory-2023-05/",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://xibosignage.com/blog/security-advisory-2023-05/"
            }
          ],
          "source": {
            "advisory": "GHSA-jj27-x85q-crqv",
            "discovery": "UNKNOWN"
          },
          "title": "Xibo CMS vulnerable to Remote Code Execution through Zip Slip"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-33177",
        "datePublished": "2023-05-30T19:12:01.606Z",
        "dateReserved": "2023-05-17T22:25:50.696Z",
        "dateUpdated": "2025-06-17T20:21:25.891Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }