CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-32342 – IBM GSKit information disclosure
https://notcve.org/view.php?id=CVE-2023-32342
IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 255828. • https://exchange.xforce.ibmcloud.com/vulnerabilities/255828 • CWE-203: Observable Discrepancy •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33181 – Sensitive Information Disclosure abusing Stack Trace in Xibo CMS
https://notcve.org/view.php?id=CVE-2023-33181
Xibo is a content management system (CMS). Starting in version 3.0.0 and prior to version 3.3.5, some API routes will print a stack trace when called with missing or invalid parameters revealing sensitive information about the locations of paths that the server is using. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading. • https://claroty.com/team82/disclosure-dashboard https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-c9cx-ghwr-x58m https://xibosignage.com/blog/security-advisory-2023-05 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33180 – Sensitive Information Disclosure abusing SQL Injection in Xibo CMS display map
https://notcve.org/view.php?id=CVE-2023-33180
This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `bounds` parameter. • https://claroty.com/team82/disclosure-dashboard https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89 https://xibosignage.com/blog/security-advisory-2023-05 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33179 – Sensitive Information Disclosure abusing SQL Injection in Xibo CMS nameFilter
https://notcve.org/view.php?id=CVE-2023-33179
This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators. • https://claroty.com/team82/disclosure-dashboard https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5 https://xibosignage.com/blog/security-advisory-2023-05 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-33178 – Sensitive Information Disclosure abusing SQL Injection in Xibo CMS dataset filter
https://notcve.org/view.php?id=CVE-2023-33178
An SQL injection vulnerability was discovered in the `/dataset/data/{id}` API route inside the CMS starting in version 1.4.0 and prior to versions 2.3.17 and 3.3.5. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `filter` parameter. • https://claroty.com/team82/disclosure-dashboard https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-g9x2-757j-hmhh https://xibosignage.com/blog/security-advisory-2023-05 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •