CVE-2023-32342 – IBM GSKit information disclosure
https://notcve.org/view.php?id=CVE-2023-32342
IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. IBM X-Force ID: 255828. • https://exchange.xforce.ibmcloud.com/vulnerabilities/255828 • CWE-203: Observable Discrepancy •
CVE-2023-33181 – Sensitive Information Disclosure abusing Stack Trace in Xibo CMS
https://notcve.org/view.php?id=CVE-2023-33181
Xibo is a content management system (CMS). Starting in version 3.0.0 and prior to version 3.3.5, some API routes will print a stack trace when called with missing or invalid parameters revealing sensitive information about the locations of paths that the server is using. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading. • https://claroty.com/team82/disclosure-dashboard https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-c9cx-ghwr-x58m https://xibosignage.com/blog/security-advisory-2023-05 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2023-33180 – Sensitive Information Disclosure abusing SQL Injection in Xibo CMS display map
https://notcve.org/view.php?id=CVE-2023-33180
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.2 in the `/display/map` API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `bounds` parameter. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading. • https://claroty.com/team82/disclosure-dashboard https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89 https://xibosignage.com/blog/security-advisory-2023-05 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-33179 – Sensitive Information Disclosure abusing SQL Injection in Xibo CMS nameFilter
https://notcve.org/view.php?id=CVE-2023-33179
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.5 in the `nameFilter` function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators. Users should upgrade to version 3.3.5 which fixes this issue. There are no known workarounds aside from upgrading. • https://claroty.com/team82/disclosure-dashboard https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5 https://xibosignage.com/blog/security-advisory-2023-05 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-33178 – Sensitive Information Disclosure abusing SQL Injection in Xibo CMS dataset filter
https://notcve.org/view.php?id=CVE-2023-33178
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `/dataset/data/{id}` API route inside the CMS starting in version 1.4.0 and prior to versions 2.3.17 and 3.3.5. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `filter` parameter. Values allowed in the filter parameter are checked against a deny list of commands that should not be allowed, however this checking was done in a case sensitive manor and so it is possible to bypass these checks by using unusual case combinations. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. • https://claroty.com/team82/disclosure-dashboard https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-g9x2-757j-hmhh https://xibosignage.com/blog/security-advisory-2023-05 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •