Page 2 of 8 results (0.010 seconds)

CVSS: 4.9EPSS: 0%CPEs: 2EXPL: 0

Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for viewing DataSet data. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue. • https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv https://xibosignage.com/blog/security-advisory-2024-07 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. In affected versions some request headers are not correctly sanitised when stored in the session and display tables. These headers can be used to inject a malicious script into the session page to exfiltrate session IDs and User Agents. These session IDs / User Agents can subsequently be used to hijack active sessions. A malicious script can be injected into the display grid to exfiltrate information related to displays. • https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xchw-pf2w-rpgq https://xibosignage.com/blog/security-advisory-2024-04 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-117: Improper Output Neutralization for Logs •

CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0

Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. Session tokens are exposed in the return of session search API call on the sessions page. Subsequently they can be exfiltrated and used to hijack a session. Users must be granted access to the session page, or be a super admin. Users should upgrade to version 3.3.10 or 4.0.9 which fix this issue. • https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff https://github.com/xibosignage/xibo-cms/commit/3b93636aa7aea07d1f7dfa36b63b773ac16d7cde https://github.com/xibosignage/xibo-cms/commit/49f018fd9fe64fcd417d7c2ef96078bd7b2b88b7 https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xmc6-cfq5-hg39 https://xibosignage.com/blog/security-advisory-2024-04 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •