CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-41803 – Xibo allows Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Filter
https://notcve.org/view.php?id=CVE-2024-41803
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for viewing DataSet data. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue. • https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv https://xibosignage.com/blog/security-advisory-2024-07 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-29022 – Session Hijacking via XSS attack in header and session grid in Xibo CMS
https://notcve.org/view.php?id=CVE-2024-29022
Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. In affected versions some request headers are not correctly sanitised when stored in the session and display tables. These headers can be used to inject a malicious script into the session page to exfiltrate session IDs and User Agents. These session IDs / User Agents can subsequently be used to hijack active sessions. A malicious script can be injected into the display grid to exfiltrate information related to displays. • https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xchw-pf2w-rpgq https://xibosignage.com/blog/security-advisory-2024-04 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-117: Improper Output Neutralization for Logs •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2024-29023 – Session Hijacking via token exposure on the session page in Xibo CMS
https://notcve.org/view.php?id=CVE-2024-29023
Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. Session tokens are exposed in the return of session search API call on the sessions page. Subsequently they can be exfiltrated and used to hijack a session. Users must be granted access to the session page, or be a super admin. Users should upgrade to version 3.3.10 or 4.0.9 which fix this issue. • https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff https://github.com/xibosignage/xibo-cms/commit/3b93636aa7aea07d1f7dfa36b63b773ac16d7cde https://github.com/xibosignage/xibo-cms/commit/49f018fd9fe64fcd417d7c2ef96078bd7b2b88b7 https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xmc6-cfq5-hg39 https://xibosignage.com/blog/security-advisory-2024-04 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33181 – Sensitive Information Disclosure abusing Stack Trace in Xibo CMS
https://notcve.org/view.php?id=CVE-2023-33181
Xibo is a content management system (CMS). Starting in version 3.0.0 and prior to version 3.3.5, some API routes will print a stack trace when called with missing or invalid parameters revealing sensitive information about the locations of paths that the server is using. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading. • https://claroty.com/team82/disclosure-dashboard https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-c9cx-ghwr-x58m https://xibosignage.com/blog/security-advisory-2023-05 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33180 – Sensitive Information Disclosure abusing SQL Injection in Xibo CMS display map
https://notcve.org/view.php?id=CVE-2023-33180
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.2 in the `/display/map` API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `bounds` parameter. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading. • https://claroty.com/team82/disclosure-dashboard https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89 https://xibosignage.com/blog/security-advisory-2023-05 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •