Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
22 vulnerabilities by xibosignage
CVE-2026-31956 (GCVE-0-2026-31956)
Vulnerability from cvelistv5 – Published: 2026-04-24 00:16 – Updated: 2026-04-24 13:08
VLAI?
Title
Xibo CMS has Preview and SavedReport IDOR via disableUserCheck without controller-level authorization
Summary
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of the vulnerability is possible on behalf of an authorized user who has any of the following privileges: Page which shows all Layouts that have been created for the purposes of Layout Management; page which shows all Campaigns that have been created for the purposes of Campaign Management; and page which shows all Reports that have been Saved. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate.
Severity ?
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
< 4.4.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31956",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T13:08:09.832329Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T13:08:17.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003c 4.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of the vulnerability is possible on behalf of an authorized user who has any of the following privileges: Page which shows all Layouts that have been created for the purposes of Layout Management; page which shows all Campaigns that have been created for the purposes of Campaign Management; and page which shows all Reports that have been Saved. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T00:16:03.413Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-q6rv-8hhj-3fr8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-q6rv-8hhj-3fr8"
},
{
"name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1"
}
],
"source": {
"advisory": "GHSA-q6rv-8hhj-3fr8",
"discovery": "UNKNOWN"
},
"title": "Xibo CMS has Preview and SavedReport IDOR via disableUserCheck without controller-level authorization"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31956",
"datePublished": "2026-04-24T00:16:03.413Z",
"dateReserved": "2026-03-10T15:40:10.479Z",
"dateUpdated": "2026-04-24T13:08:17.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31955 (GCVE-0-2026-31955)
Vulnerability from cvelistv5 – Published: 2026-04-24 00:14 – Updated: 2026-04-24 00:14
VLAI?
Title
Xibo CMS has Authenticated Server-Side Request Forgery (SSRF) in Remote DataSet Functionality
Summary
Xibo is an open source digital signage platform with a web content management system and Windows display player software. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.4.1 allows users with DataSet permissions to make arbitrary HTTP requests from the CMS server to internal or external network resources. This can be exploited to scan internal infrastructure, access local cloud metadata endpoints (e.g., AWS IMDS), interact with internal services that lack authentication, or exfiltrate data. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Include "Add DataSet" button to allow for additional DataSets to be created independently to Layouts. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust.
Severity ?
4.9 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
< 4.4.1
|
{
"containers": {
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003c 4.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is an open source digital signage platform with a web content management system and Windows display player software. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.4.1 allows users with DataSet permissions to make arbitrary HTTP requests from the CMS server to internal or external network resources. This can be exploited to scan internal infrastructure, access local cloud metadata endpoints (e.g., AWS IMDS), interact with internal services that lack authentication, or exfiltrate data. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Include \"Add DataSet\" button to allow for additional DataSets to be created independently to Layouts. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T00:14:15.950Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-5q58-9vhx-xg2p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-5q58-9vhx-xg2p"
},
{
"name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1"
}
],
"source": {
"advisory": "GHSA-5q58-9vhx-xg2p",
"discovery": "UNKNOWN"
},
"title": "Xibo CMS has Authenticated Server-Side Request Forgery (SSRF) in Remote DataSet Functionality"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31955",
"datePublished": "2026-04-24T00:14:15.950Z",
"dateReserved": "2026-03-10T15:10:10.658Z",
"dateUpdated": "2026-04-24T00:14:15.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31953 (GCVE-0-2026-31953)
Vulnerability from cvelistv5 – Published: 2026-04-24 00:08 – Updated: 2026-04-24 18:18
VLAI?
Title
Xibo CMS has Stored XSS via Notification Body with Zero-Click Execution on Login
Summary
Xibo is an open source digital signage platform with a web content management system and Windows display player software. A stored Cross-Site Scripting (XSS) vulnerability in versions prior to 4.4.1 allows an authenticated user with notification creation permissions to inject arbitrary JavaScript into the notification body. When the notification is set as an "interrupt," the payload executes automatically in the browser of any targeted user upon login, requiring zero user interaction. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Access to the Notification Centre to view past notifications, and include "Add Notification" button to allow for the creation of new notifications. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
< 4.4.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31953",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T17:06:13.418352Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T18:18:24.562Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003c 4.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is an open source digital signage platform with a web content management system and Windows display player software. A stored Cross-Site Scripting (XSS) vulnerability in versions prior to 4.4.1 allows an authenticated user with notification creation permissions to inject arbitrary JavaScript into the notification body. When the notification is set as an \"interrupt,\" the payload executes automatically in the browser of any targeted user upon login, requiring zero user interaction. Exploitation of the vulnerability is possible on behalf of an authorized user who has both of the following privileges, which are not granted to non-admins as standard: Access to the Notification Centre to view past notifications, and include \"Add Notification\" button to allow for the creation of new notifications. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate. Users unable to upgrade should revoke such privileges from users they do not trust."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T00:08:21.548Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-85w9-c833-q4w2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-85w9-c833-q4w2"
},
{
"name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1"
}
],
"source": {
"advisory": "GHSA-85w9-c833-q4w2",
"discovery": "UNKNOWN"
},
"title": "Xibo CMS has Stored XSS via Notification Body with Zero-Click Execution on Login"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31953",
"datePublished": "2026-04-24T00:08:21.548Z",
"dateReserved": "2026-03-10T15:10:10.657Z",
"dateUpdated": "2026-04-24T18:18:24.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31952 (GCVE-0-2026-31952)
Vulnerability from cvelistv5 – Published: 2026-04-24 00:05 – Updated: 2026-04-24 16:31
VLAI?
Title
Xibo CMS API has SQL Injection via DataSet Filter Parameter
Summary
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the API filter parameter. Exploitation of the vulnerability is possible on behalf of an authorized user who has either of the `Access to DataSet Feature` privilege or the `Access to the Layout Feature` privilege. Users should upgrade to version 4.4.1 which fixes this issue. Customers who host their CMS with Xibo Signage have been patched if they are using 4.4, 4.3, 3.3, 2.3 or 1.8. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of support, namely 3.3, 2.3, and 1.8.
Severity ?
7.6 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
>= 1.7, < 4.4.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31952",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T16:31:28.534964Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T16:31:37.061Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.7, \u003c 4.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the API filter parameter. Exploitation of the vulnerability is possible on behalf of an authorized user who has either of the `Access to DataSet Feature` privilege or the `Access to the Layout Feature` privilege. Users should upgrade to version 4.4.1 which fixes this issue. Customers who host their CMS with Xibo Signage have been patched if they are using 4.4, 4.3, 3.3, 2.3 or 1.8. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of support, namely 3.3, 2.3, and 1.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184: Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T00:05:04.782Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-rq92-f6fv-3629",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-rq92-f6fv-3629"
},
{
"name": "https://github.com/dasgarner/xibo-cms/commit/b8d25fe6cb0232b645c3850afdc2499b0e46c1e6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dasgarner/xibo-cms/commit/b8d25fe6cb0232b645c3850afdc2499b0e46c1e6"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/87e0a26b0c06e349561a6becdc00f3bb01259736",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/87e0a26b0c06e349561a6becdc00f3bb01259736"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/ed213cb4f42d4f50cf8012e01e95bb70127fc6a4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/ed213cb4f42d4f50cf8012e01e95bb70127fc6a4"
},
{
"name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.4.1"
}
],
"source": {
"advisory": "GHSA-rq92-f6fv-3629",
"discovery": "UNKNOWN"
},
"title": "Xibo CMS API has SQL Injection via DataSet Filter Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31952",
"datePublished": "2026-04-24T00:05:04.782Z",
"dateReserved": "2026-03-10T15:10:10.657Z",
"dateUpdated": "2026-04-24T16:31:37.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62369 (GCVE-0-2025-62369)
Vulnerability from cvelistv5 – Published: 2025-11-04 21:18 – Updated: 2025-11-05 14:29
VLAI?
Title
Xibo CMS: Remote Code Execution through module templates
Summary
Xibo is an open source digital signage platform with a web content management system (CMS). Versions 4.3.0 and below contain a Remote Code Execution vulnerability in the CMS Developer menu's Module Templating functionality, allowing authenticated users with "System -> Add/Edit custom modules and templates" permissions to manipulate Twig filters and execute arbitrary server-side functions as the web server user. This issue is fixed in version 4.3.1. To workaround this issue, use the 4.1 and 4.2 patch commits.
Severity ?
7.2 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
< 4.3.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62369",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-05T14:29:27.039876Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-05T14:29:33.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003c 4.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is an open source digital signage platform with a web content management system (CMS). Versions 4.3.0 and below contain a Remote Code Execution vulnerability in the CMS Developer menu\u0027s Module Templating functionality, allowing authenticated users with \"System -\u003e Add/Edit custom modules and templates\" permissions to manipulate Twig filters and execute arbitrary server-side functions as the web server user. This issue is fixed in version 4.3.1. To workaround this issue, use the 4.1 and 4.2 patch commits."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-04T21:18:38.880Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7rmm-689c-gjgv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7rmm-689c-gjgv"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/0f4e88396111ea027785a48dd8f5eeb14536bd71",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/0f4e88396111ea027785a48dd8f5eeb14536bd71"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/ecd4f9d2cea739a46756a108a839cac80f65cf10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/ecd4f9d2cea739a46756a108a839cac80f65cf10"
},
{
"name": "https://github.com/xibosignage/xibo-cms/releases/tag/4.3.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/releases/tag/4.3.1"
},
{
"name": "https://patch-diff.githubusercontent.com/raw/xibosignage/xibo-cms/pull/3128.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://patch-diff.githubusercontent.com/raw/xibosignage/xibo-cms/pull/3128.patch"
}
],
"source": {
"advisory": "GHSA-7rmm-689c-gjgv",
"discovery": "UNKNOWN"
},
"title": "Xibo CMS: Remote Code Execution through module templates"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62369",
"datePublished": "2025-11-04T21:18:38.880Z",
"dateReserved": "2025-10-10T14:22:48.204Z",
"dateUpdated": "2025-11-05T14:29:33.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-43413 (GCVE-0-2024-43413)
Vulnerability from cvelistv5 – Published: 2024-09-03 18:52 – Updated: 2024-09-03 19:28
VLAI?
Title
Xibo CMS XSS vulnerability using DataSet HTML columns
Summary
Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute JavaScript via the DataSet functionality. Users can design a DataSet with a HTML column which contains JavaScript, which is intended functionality. The JavaScript gets executed on the Data Entry page and in any Layouts which reference it. This behavior has been changed in 4.1.0 to show HTML/CSS/JS as code on the Data Entry page. There are no workarounds for this issue.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
< 4.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43413",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T19:28:33.555383Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T19:28:40.467Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003c 4.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute JavaScript via the DataSet functionality. Users can design a DataSet with a HTML column which contains JavaScript, which is intended functionality. The JavaScript gets executed on the Data Entry page and in any Layouts which reference it. This behavior has been changed in 4.1.0 to show HTML/CSS/JS as code on the Data Entry page. There are no workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T18:52:27.153Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-pfxp-vxh7-2h9f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-pfxp-vxh7-2h9f"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/009527855d8bfd0ffb95f5c88ed72b7b5bdebfa1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/009527855d8bfd0ffb95f5c88ed72b7b5bdebfa1"
}
],
"source": {
"advisory": "GHSA-pfxp-vxh7-2h9f",
"discovery": "UNKNOWN"
},
"title": "Xibo CMS XSS vulnerability using DataSet HTML columns"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-43413",
"datePublished": "2024-09-03T18:52:27.153Z",
"dateReserved": "2024-08-12T18:02:04.967Z",
"dateUpdated": "2024-09-03T19:28:40.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43412 (GCVE-0-2024-43412)
Vulnerability from cvelistv5 – Published: 2024-09-03 16:52 – Updated: 2024-09-03 17:43
VLAI?
Title
Xibo CMS XSS vulnerability when previewing files uploaded to the library containing HTML/JS
Summary
Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute arbitrary JavaScript via the file preview function. Users can upload HTML/CSS/JS files into the Xibo Library via the Generic File module to be referenced on Displays and in Layouts. This is intended functionality. When previewing these resources from the Library and Layout editor they are executed in the users browser. This will be disabled in future releases, and users are encouraged to use the new developer tools in 4.1 to design their widgets which require this type of functionality. This behavior has been changed in 4.1.0 to preview previewing of generic files. There are no workarounds for this issue.
Severity ?
4.6 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
< 4.1.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43412",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T17:40:46.046472Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T17:43:03.820Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003c 4.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute arbitrary JavaScript via the file preview function. Users can upload HTML/CSS/JS files into the Xibo Library via the Generic File module to be referenced on Displays and in Layouts. This is intended functionality. When previewing these resources from the Library and Layout editor they are executed in the users browser. This will be disabled in future releases, and users are encouraged to use the new developer tools in 4.1 to design their widgets which require this type of functionality. This behavior has been changed in 4.1.0 to preview previewing of generic files. There are no workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T16:52:23.643Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-336f-wrgx-57gg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-336f-wrgx-57gg"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/d8f13339469d9f19ce591fb2bd7c9e0e0d2da118",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/d8f13339469d9f19ce591fb2bd7c9e0e0d2da118"
}
],
"source": {
"advisory": "GHSA-336f-wrgx-57gg",
"discovery": "UNKNOWN"
},
"title": "Xibo CMS XSS vulnerability when previewing files uploaded to the library containing HTML/JS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-43412",
"datePublished": "2024-09-03T16:52:23.643Z",
"dateReserved": "2024-08-12T18:02:04.967Z",
"dateUpdated": "2024-09-03T17:43:03.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41944 (GCVE-0-2024-41944)
Vulnerability from cvelistv5 – Published: 2024-07-30 16:24 – Updated: 2024-08-02 04:54
VLAI?
Title
Sensitive Information Disclosure abusing SQL Injection in Xibo CMS proof of play report
Summary
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `report/data/proofofplayReport` API route inside the CMS. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `sortBy` parameter. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue.
Severity ?
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
=> 2.1.0, < 3.3.12
Affected: => 4.0.0-alpha, < 4.0.14 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:2.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "3.3.12",
"status": "affected",
"version": "2.1.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "4.0.14",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41944",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-30T16:39:27.628296Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T16:39:38.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:54:31.359Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-v6q4-h869-gm3r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-v6q4-h869-gm3r"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/c60cfd8727da77b9db10297148eadd697ebec353.patch",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/c60cfd8727da77b9db10297148eadd697ebec353.patch"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-07",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-07"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "=\u003e 2.1.0, \u003c 3.3.12"
},
{
"status": "affected",
"version": "=\u003e 4.0.0-alpha, \u003c 4.0.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `report/data/proofofplayReport` API route inside the CMS. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `sortBy` parameter. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T16:24:40.398Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-v6q4-h869-gm3r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-v6q4-h869-gm3r"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/c60cfd8727da77b9db10297148eadd697ebec353.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/c60cfd8727da77b9db10297148eadd697ebec353.patch"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-07",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-07"
}
],
"source": {
"advisory": "GHSA-v6q4-h869-gm3r",
"discovery": "UNKNOWN"
},
"title": "Sensitive Information Disclosure abusing SQL Injection in Xibo CMS proof of play report"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41944",
"datePublished": "2024-07-30T16:24:40.398Z",
"dateReserved": "2024-07-24T16:51:40.947Z",
"dateUpdated": "2024-08-02T04:54:31.359Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41804 (GCVE-0-2024-41804)
Vulnerability from cvelistv5 – Published: 2024-07-30 15:51 – Updated: 2024-08-02 04:46
VLAI?
Title
Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Column Formula
Summary
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `formula` parameter. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue.
Severity ?
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
=> 2.1.0, < 3.3.12
Affected: => 4.0.0-alpha, < 4.0.14 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:2.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "3.3.12",
"status": "affected",
"version": "2.1.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "4.0.14",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41804",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-30T16:22:10.295843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T16:37:49.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.668Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-07",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-07"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "=\u003e 2.1.0, \u003c 3.3.12"
},
{
"status": "affected",
"version": "=\u003e 4.0.0-alpha, \u003c 4.0.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `formula` parameter. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T15:51:53.961Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-07",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-07"
}
],
"source": {
"advisory": "GHSA-4pp3-4mw7-qfwr",
"discovery": "UNKNOWN"
},
"title": "Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Column Formula"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41804",
"datePublished": "2024-07-30T15:51:53.961Z",
"dateReserved": "2024-07-22T13:57:37.135Z",
"dateUpdated": "2024-08-02T04:46:52.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41802 (GCVE-0-2024-41802)
Vulnerability from cvelistv5 – Published: 2024-07-30 15:49 – Updated: 2024-08-02 04:46
VLAI?
Title
Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Data Import
Summary
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the APIs for importing JSON and importing a Layout containing DataSet data.
Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue
Severity ?
8.1 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
=> 1.8.0, < 3.3.12
Affected: => 4.0.0-alpha, < 4.0.14 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:1.8.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "3.3.12",
"status": "affected",
"version": "1.8.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "4.0.14",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41802",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-30T16:24:46.548222Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T16:45:37.290Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-07",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-07"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "=\u003e 1.8.0, \u003c 3.3.12"
},
{
"status": "affected",
"version": "=\u003e 4.0.0-alpha, \u003c 4.0.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the APIs for importing JSON and importing a Layout containing DataSet data.\nUsers should upgrade to version 3.3.12 or 4.0.14 which fix this issue"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T15:49:52.120Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-07",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-07"
}
],
"source": {
"advisory": "GHSA-x4qm-vvhp-g7c2",
"discovery": "UNKNOWN"
},
"title": "Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Data Import"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41802",
"datePublished": "2024-07-30T15:49:52.120Z",
"dateReserved": "2024-07-22T13:57:37.135Z",
"dateUpdated": "2024-08-02T04:46:52.692Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41803 (GCVE-0-2024-41803)
Vulnerability from cvelistv5 – Published: 2024-07-30 15:49 – Updated: 2024-08-02 04:46
VLAI?
Title
Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Filter
Summary
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for viewing DataSet data. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue.
Severity ?
4.9 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
=> 2.1.0, < 3.3.12
Affected: => 4.0.0-alpha, < 4.0.14 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:2.1.0:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "3.3.12",
"status": "affected",
"version": "2.1.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:4.0.0:alpha:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "4.0.14",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41803",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-30T16:38:38.942869Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T16:38:53.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.683Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-07",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-07"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "=\u003e 2.1.0, \u003c 3.3.12"
},
{
"status": "affected",
"version": "=\u003e 4.0.0-alpha, \u003c 4.0.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for viewing DataSet data. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T15:49:51.716Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-07",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-07"
}
],
"source": {
"advisory": "GHSA-hpc5-mxfq-44hv",
"discovery": "UNKNOWN"
},
"title": "Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Filter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41803",
"datePublished": "2024-07-30T15:49:51.716Z",
"dateReserved": "2024-07-22T13:57:37.135Z",
"dateUpdated": "2024-08-02T04:46:52.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29022 (GCVE-0-2024-29022)
Vulnerability from cvelistv5 – Published: 2024-04-12 21:04 – Updated: 2024-08-02 01:03
VLAI?
Title
Session Hijacking via XSS attack in header and session grid in Xibo CMS
Summary
Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. In affected versions some request headers are not correctly sanitised when stored in the session and display tables. These headers can be used to inject a malicious script into the session page to exfiltrate session IDs and User Agents. These session IDs / User Agents can subsequently be used to hijack active sessions. A malicious script can be injected into the display grid to exfiltrate information related to displays. Users should upgrade to version 3.3.10 or 4.0.9 which fix this issue. Customers who host their CMS with the Xibo Signage service have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of security support: 2.3 patch ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff. 1.8 patch a81044e6ccdd92cc967e34c125bd8162432e51bc.diff. There are no known workarounds for this issue.
Severity ?
8.8 (High)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
>=1.8.0, < 3.3.10
Affected: >= 4.0.0, < 4.0.9 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "3.3.10",
"status": "affected",
"version": "1.8.0",
"versionType": "custom"
},
{
"lessThan": "4.0.9",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29022",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T15:17:47.008243Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T16:46:10.776Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.421Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xchw-pf2w-rpgq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xchw-pf2w-rpgq"
},
{
"name": "https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-04",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003e=1.8.0, \u003c 3.3.10"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. In affected versions some request headers are not correctly sanitised when stored in the session and display tables. These headers can be used to inject a malicious script into the session page to exfiltrate session IDs and User Agents. These session IDs / User Agents can subsequently be used to hijack active sessions. A malicious script can be injected into the display grid to exfiltrate information related to displays. Users should upgrade to version 3.3.10 or 4.0.9 which fix this issue. Customers who host their CMS with the Xibo Signage service have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of security support: 2.3 patch ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff. 1.8 patch a81044e6ccdd92cc967e34c125bd8162432e51bc.diff. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117: Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-12T21:04:23.813Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xchw-pf2w-rpgq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xchw-pf2w-rpgq"
},
{
"name": "https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-04",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-04"
}
],
"source": {
"advisory": "GHSA-xchw-pf2w-rpgq",
"discovery": "UNKNOWN"
},
"title": "Session Hijacking via XSS attack in header and session grid in Xibo CMS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29022",
"datePublished": "2024-04-12T21:04:23.813Z",
"dateReserved": "2024-03-14T16:59:47.611Z",
"dateUpdated": "2024-08-02T01:03:51.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-29023 (GCVE-0-2024-29023)
Vulnerability from cvelistv5 – Published: 2024-04-12 21:00 – Updated: 2024-08-02 01:03
VLAI?
Title
Session Hijacking via token exposure on the session page in Xibo CMS
Summary
Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. Session tokens are exposed in the return of session search API call on the sessions page. Subsequently they can be exfiltrated and used to hijack a session. Users must be granted access to the session page, or be a super admin. Users should upgrade to version 3.3.10 or 4.0.9 which fix this issue. Customers who host their CMS with the Xibo Signage service have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running. Patches are available for earlier versions of Xibo CMS that are out of security support: 2.3 patch ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff. 1.8 patch a81044e6ccdd92cc967e34c125bd8162432e51bc.diff. There are no known workarounds for this vulnerability.
Severity ?
7.2 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
>= 1.8.0, < 3.3.10
Affected: >= 4.0.0, < 4.0.9 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xibosignage:xibo:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xibo",
"vendor": "xibosignage",
"versions": [
{
"lessThan": "3.3.10",
"status": "affected",
"version": "1.8.0",
"versionType": "custom"
},
{
"lessThan": "4.0.9",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29023",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T13:17:42.679021Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T18:44:58.498Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:03:51.702Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xmc6-cfq5-hg39",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xmc6-cfq5-hg39"
},
{
"name": "https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/3b93636aa7aea07d1f7dfa36b63b773ac16d7cde",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/3b93636aa7aea07d1f7dfa36b63b773ac16d7cde"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/49f018fd9fe64fcd417d7c2ef96078bd7b2b88b7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/49f018fd9fe64fcd417d7c2ef96078bd7b2b88b7"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-04",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-04"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.8.0, \u003c 3.3.10"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.0.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. Session tokens are exposed in the return of session search API call on the sessions page. Subsequently they can be exfiltrated and used to hijack a session. Users must be granted access to the session page, or be a super admin. Users should upgrade to version 3.3.10 or 4.0.9 which fix this issue. Customers who host their CMS with the Xibo Signage service have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running. Patches are available for earlier versions of Xibo CMS that are out of security support: 2.3 patch ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff. 1.8 patch a81044e6ccdd92cc967e34c125bd8162432e51bc.diff. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-12T21:00:55.671Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xmc6-cfq5-hg39",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xmc6-cfq5-hg39"
},
{
"name": "https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/3b93636aa7aea07d1f7dfa36b63b773ac16d7cde",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/3b93636aa7aea07d1f7dfa36b63b773ac16d7cde"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/49f018fd9fe64fcd417d7c2ef96078bd7b2b88b7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/49f018fd9fe64fcd417d7c2ef96078bd7b2b88b7"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2024-04",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2024-04"
}
],
"source": {
"advisory": "GHSA-xmc6-cfq5-hg39",
"discovery": "UNKNOWN"
},
"title": "Session Hijacking via token exposure on the session page in Xibo CMS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29023",
"datePublished": "2024-04-12T21:00:55.671Z",
"dateReserved": "2024-03-14T16:59:47.611Z",
"dateUpdated": "2024-08-02T01:03:51.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33181 (GCVE-0-2023-33181)
Vulnerability from cvelistv5 – Published: 2023-05-30 20:57 – Updated: 2025-01-09 18:48
VLAI?
Title
Sensitive Information Disclosure abusing Stack Trace in Xibo CMS
Summary
Xibo is a content management system (CMS). Starting in version 3.0.0 and prior to version 3.3.5, some API routes will print a stack trace when called with missing or invalid parameters revealing sensitive information about the locations of paths that the server is using. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading.
Severity ?
4.3 (Medium)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
>= 3.0.0, < 3.3.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:39:35.745Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-c9cx-ghwr-x58m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-c9cx-ghwr-x58m"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33181",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T18:48:16.050881Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T18:48:26.867Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is a content management system (CMS). Starting in version 3.0.0 and prior to version 3.3.5, some API routes will print a stack trace when called with missing or invalid parameters revealing sensitive information about the locations of paths that the server is using. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-30T20:57:38.437Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-c9cx-ghwr-x58m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-c9cx-ghwr-x58m"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"source": {
"advisory": "GHSA-c9cx-ghwr-x58m",
"discovery": "UNKNOWN"
},
"title": "Sensitive Information Disclosure abusing Stack Trace in Xibo CMS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33181",
"datePublished": "2023-05-30T20:57:38.437Z",
"dateReserved": "2023-05-17T22:25:50.696Z",
"dateUpdated": "2025-01-09T18:48:26.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33180 (GCVE-0-2023-33180)
Vulnerability from cvelistv5 – Published: 2023-05-30 20:18 – Updated: 2025-01-09 21:15
VLAI?
Title
Sensitive Information Disclosure abusing SQL Injection in Xibo CMS display map
Summary
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.2 in the `/display/map` API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `bounds` parameter. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading.
Severity ?
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
>= 3.2.0, < 3.3.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:39:35.827Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33180",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T21:15:04.104699Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T21:15:34.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.2 in the `/display/map` API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `bounds` parameter. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-30T20:18:40.895Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"source": {
"advisory": "GHSA-7ww5-x9rm-qm89",
"discovery": "UNKNOWN"
},
"title": "Sensitive Information Disclosure abusing SQL Injection in Xibo CMS display map"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33180",
"datePublished": "2023-05-30T20:18:40.895Z",
"dateReserved": "2023-05-17T22:25:50.696Z",
"dateUpdated": "2025-01-09T21:15:34.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33179 (GCVE-0-2023-33179)
Vulnerability from cvelistv5 – Published: 2023-05-30 20:07 – Updated: 2025-01-09 21:16
VLAI?
Title
Sensitive Information Disclosure abusing SQL Injection in Xibo CMS nameFilter
Summary
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.5 in the `nameFilter` function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators. Users should upgrade to version 3.3.5 which fixes this issue. There are no known workarounds aside from upgrading.
Severity ?
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
>= 3.2.0, < 3.3.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:39:35.803Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T21:16:22.453820Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T21:16:43.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.5 in the `nameFilter` function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators. Users should upgrade to version 3.3.5 which fixes this issue. There are no known workarounds aside from upgrading."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-30T20:07:13.870Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"source": {
"advisory": "GHSA-jmx8-cgm4-7mf5",
"discovery": "UNKNOWN"
},
"title": "Sensitive Information Disclosure abusing SQL Injection in Xibo CMS nameFilter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33179",
"datePublished": "2023-05-30T20:07:13.870Z",
"dateReserved": "2023-05-17T22:25:50.696Z",
"dateUpdated": "2025-01-09T21:16:43.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33178 (GCVE-0-2023-33178)
Vulnerability from cvelistv5 – Published: 2023-05-30 19:55 – Updated: 2025-01-09 19:16
VLAI?
Title
Sensitive Information Disclosure abusing SQL Injection in Xibo CMS dataset filter
Summary
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `/dataset/data/{id}` API route inside the CMS starting in version 1.4.0 and prior to versions 2.3.17 and 3.3.5. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `filter` parameter. Values allowed in the filter parameter are checked against a deny list of commands that should not be allowed, however this checking was done in a case sensitive manor and so it is possible to bypass these checks by using unusual case combinations. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. There are no workarounds aside from upgrading.
Severity ?
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
>= 1.4.0, < 2.3.17
Affected: >= 3.0.0, < 3.3.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:39:35.798Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-g9x2-757j-hmhh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-g9x2-757j-hmhh"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33178",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T19:16:31.715244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T19:16:45.390Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.4.0, \u003c 2.3.17"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `/dataset/data/{id}` API route inside the CMS starting in version 1.4.0 and prior to versions 2.3.17 and 3.3.5. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `filter` parameter. Values allowed in the filter parameter are checked against a deny list of commands that should not be allowed, however this checking was done in a case sensitive manor and so it is possible to bypass these checks by using unusual case combinations. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. There are no workarounds aside from upgrading."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-30T19:55:49.496Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-g9x2-757j-hmhh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-g9x2-757j-hmhh"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"source": {
"advisory": "GHSA-g9x2-757j-hmhh",
"discovery": "UNKNOWN"
},
"title": "Sensitive Information Disclosure abusing SQL Injection in Xibo CMS dataset filter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33178",
"datePublished": "2023-05-30T19:55:49.496Z",
"dateReserved": "2023-05-17T22:25:50.696Z",
"dateUpdated": "2025-01-09T19:16:45.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33177 (GCVE-0-2023-33177)
Vulnerability from cvelistv5 – Published: 2023-05-30 19:12 – Updated: 2025-06-17 20:21
VLAI?
Title
Xibo CMS vulnerable to Remote Code Execution through Zip Slip
Summary
Xibo is a content management system (CMS). A path traversal vulnerability exists in the Xibo CMS whereby a specially crafted zip file can be uploaded to the CMS via the layout import function by an authenticated user which would allow creation of files outside of the CMS library directory as the webserver user. This can be used to upload a PHP webshell inside the web root directory and achieve remote code execution as the webserver user. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. Customers who host their CMS with Xibo Signage have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running.
Severity ?
8.8 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xibosignage | xibo-cms |
Affected:
>= 1.8.0, < 2.3.17
Affected: >= 3.0.0, < 3.3.5 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:39:35.620Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqv"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33177",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T21:17:24.324205Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:21:25.891Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xibo-cms",
"vendor": "xibosignage",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.8.0, \u003c 2.3.17"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.3.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xibo is a content management system (CMS). A path traversal vulnerability exists in the Xibo CMS whereby a specially crafted zip file can be uploaded to the CMS via the layout import function by an authenticated user which would allow creation of files outside of the CMS library directory as the webserver user. This can be used to upload a PHP webshell inside the web root directory and achieve remote code execution as the webserver user. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. Customers who host their CMS with Xibo Signage have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-30T19:12:01.606Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqv"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658"
},
{
"name": "https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9"
},
{
"name": "https://claroty.com/team82/disclosure-dashboard",
"tags": [
"x_refsource_MISC"
],
"url": "https://claroty.com/team82/disclosure-dashboard"
},
{
"name": "https://xibosignage.com/blog/security-advisory-2023-05/",
"tags": [
"x_refsource_MISC"
],
"url": "https://xibosignage.com/blog/security-advisory-2023-05/"
}
],
"source": {
"advisory": "GHSA-jj27-x85q-crqv",
"discovery": "UNKNOWN"
},
"title": "Xibo CMS vulnerable to Remote Code Execution through Zip Slip"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33177",
"datePublished": "2023-05-30T19:12:01.606Z",
"dateReserved": "2023-05-17T22:25:50.696Z",
"dateUpdated": "2025-06-17T20:21:25.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4888 (GCVE-0-2013-4888)
Vulnerability from cvelistv5 – Published: 2014-01-29 18:00 – Updated: 2024-08-06 16:59
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the layout parameter in the layout page.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Date Public ?
2013-07-30 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:59:40.631Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-07-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the layout parameter in the layout page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-01-29T17:57:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-4888",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the layout parameter in the layout page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html",
"refsource": "MISC",
"url": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-4888",
"datePublished": "2014-01-29T18:00:00.000Z",
"dateReserved": "2013-07-22T00:00:00.000Z",
"dateUpdated": "2024-08-06T16:59:40.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4889 (GCVE-0-2013-4889)
Vulnerability from cvelistv5 – Published: 2014-01-29 18:00 – Updated: 2024-08-06 16:59
VLAI?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in index.php in Digital Signage Xibo 1.4.2 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new administrator via the AddUser action or (2) conduct cross-site scripting (XSS) attacks, as demonstrated by CVE-2013-4888.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Date Public ?
2013-07-30 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:59:41.021Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-07-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in index.php in Digital Signage Xibo 1.4.2 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new administrator via the AddUser action or (2) conduct cross-site scripting (XSS) attacks, as demonstrated by CVE-2013-4888."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-01-29T17:57:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-4889",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in index.php in Digital Signage Xibo 1.4.2 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new administrator via the AddUser action or (2) conduct cross-site scripting (XSS) attacks, as demonstrated by CVE-2013-4888."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html",
"refsource": "MISC",
"url": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-4889",
"datePublished": "2014-01-29T18:00:00.000Z",
"dateReserved": "2013-07-22T00:00:00.000Z",
"dateUpdated": "2024-08-06T16:59:41.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4887 (GCVE-0-2013-4887)
Vulnerability from cvelistv5 – Published: 2014-01-29 18:00 – Updated: 2024-08-06 16:59
VLAI?
Summary
SQL injection vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to execute arbitrary SQL commands via the displayid parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Date Public ?
2013-07-30 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:59:40.935Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "xibo-cve20134887-sql-injection(86777)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86777"
},
{
"name": "62071",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/62071"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-07-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to execute arbitrary SQL commands via the displayid parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "xibo-cve20134887-sql-injection(86777)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86777"
},
{
"name": "62071",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/62071"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-4887",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to execute arbitrary SQL commands via the displayid parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "xibo-cve20134887-sql-injection(86777)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/86777"
},
{
"name": "62071",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/62071"
},
{
"name": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html",
"refsource": "MISC",
"url": "http://infosec42.blogspot.com/2013/08/exploit-xibo-digital-signage-sql.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-4887",
"datePublished": "2014-01-29T18:00:00.000Z",
"dateReserved": "2013-07-22T00:00:00.000Z",
"dateUpdated": "2024-08-06T16:59:40.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-5979 (GCVE-0-2013-5979)
Vulnerability from cvelistv5 – Published: 2013-10-02 22:00 – Updated: 2024-09-16 16:32
VLAI?
Summary
Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:29:42.718Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.baesystemsdetica.com.au/Research/Advisories/Xibo-Directory-Traversal-Vulnerability-%28DS-2013-00"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.launchpad.net/xibo/+bug/1093967"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-10-02T22:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.baesystemsdetica.com.au/Research/Advisories/Xibo-Directory-Traversal-Vulnerability-%28DS-2013-00"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.launchpad.net/xibo/+bug/1093967"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-5979",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.baesystemsdetica.com.au/Research/Advisories/Xibo-Directory-Traversal-Vulnerability-(DS-2013-00",
"refsource": "MISC",
"url": "http://www.baesystemsdetica.com.au/Research/Advisories/Xibo-Directory-Traversal-Vulnerability-(DS-2013-00"
},
{
"name": "https://bugs.launchpad.net/xibo/+bug/1093967",
"refsource": "CONFIRM",
"url": "https://bugs.launchpad.net/xibo/+bug/1093967"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-5979",
"datePublished": "2013-10-02T22:00:00.000Z",
"dateReserved": "2013-10-02T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:32:55.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}