CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-45879
https://notcve.org/view.php?id=CVE-2023-45879
14 Nov 2023 — GibbonEdu Gibbon version 25.0.0 allows HTML Injection via an IFRAME element to the Messager component. GibbonEdu Gibbon versión 25.0.0 permite la inyección de HTML a través de un elemento IFRAME al componente Messager. • https://herolab.usd.de/security-advisories/usd-2023-0019 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-45880
https://notcve.org/view.php?id=CVE-2023-45880
14 Nov 2023 — GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname (and extension). This allows creation of PHP files outside of the uploads directory, directly in the webroot. GibbonEdu Gibbon hasta la versión 25.0.0 permite el Directory Traversal a través del generador de plantillas de informes. • https://herolab.usd.de/security-advisories/usd-2023-0022 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-45878
https://notcve.org/view.php?id=CVE-2023-45878
14 Nov 2023 — GibbonEdu Gibbon version 25.0.1 and before allows Arbitrary File Write because rubrics_visualise_saveAjax.phps does not require authentication. The endpoint accepts the img, path, and gibbonPersonID parameters. The img parameter is expected to be a base64 encoded image. If the path parameter is set, the defined path is used as the destination folder, concatenated with the absolute path of the installation directory. The content of the img parameter is base64 decoded and written to the defined file path. • https://herolab.usd.de/security-advisories/usd-2023-0025 • CWE-787: Out-of-bounds Write •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-45881
https://notcve.org/view.php?id=CVE-2023-45881
14 Nov 2023 — GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resources_addQuick_ajaxProcess.php file upload with resultant XSS. The imageAsLinks parameter must be set to Y to return HTML code. The filename attribute of the bodyfile1 parameter is reflected in the response. GibbonEdu Gibbon hasta la versión 25.0.0 permite la carga de archivos /modules/Planner/resources_addQuick_ajaxProcess.php con el XSS resultante. El parámetro imageAsLinks debe establecerse en Y para devolver código HTML. • https://herolab.usd.de/security-advisories/usd-2023-0024 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27305
https://notcve.org/view.php?id=CVE-2022-27305
25 May 2022 — Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation. Gibbon versión v23, no genera una nueva cookie de identificación de sesión después de que un usuario es autenticado, haciendo que la aplicación sea vulnerable a una fijación de sesión • http://gibbon.com • CWE-384: Session Fixation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27311
https://notcve.org/view.php?id=CVE-2022-27311
25 Apr 2022 — Gibbon v3.4.4 and below allows attackers to execute a Server-Side Request Forgery (SSRF) via a crafted URL. Gibbon versiones v3.4.4 y posteriores, permiten a atacantes ejecutar un ataque de tipo Server-Side Request Forgery (SSRF) por medio de una URL diseñada • https://github.com/amro/gibbon/commit/b2eb99ed304d7491a6d348a5bbdc83a008fc6e0b • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23871
https://notcve.org/view.php?id=CVE-2022-23871
03 Feb 2022 — Multiple cross-site scripting (XSS) vulnerabilities in the component outcomes_addProcess.php of Gibbon CMS v22.0.01 allow attackers to execute arbitrary web scripts or HTML via a crafted payload insterted into the name, category, description parameters. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en el componente outcomes_addProcess.php de Gibbon CMS versión v22.0.01, permiten a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada insertada en los parámetr... • https://github.com/truonghuuphuc/CVE • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-22868
https://notcve.org/view.php?id=CVE-2022-22868
28 Jan 2022 — Gibbon CMS v22.0.01 was discovered to contain a cross-site scripting (XSS) vulnerability, that allows attackers to inject arbitrary script via name parameters. Se ha detectado que Gibbon CMS versión v22.0.01, contiene una vulnerabilidad de tipo cross-site scripting (XSS), que permite a atacantes inyectar script arbitrario por medio de parámetros name • https://github.com/GibbonEdu/core/issues/1594 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-40214
https://notcve.org/view.php?id=CVE-2021-40214
13 Sep 2021 — Gibbon v22.0.00 suffers from a stored XSS vulnerability within the wall messages component. Gibbon versión v22.0.00, sufre una vulnerabilidad de tipo XSS almacenado dentro del componente wall messages • https://gibbonedu.org • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-40492
https://notcve.org/view.php?id=CVE-2021-40492
03 Sep 2021 — A reflected XSS vulnerability exists in multiple pages in version 22 of the Gibbon application that allows for arbitrary execution of JavaScript (gibbonCourseClassID, gibbonPersonID, subpage, currentDate, or allStudents to index.php). Se presenta una vulnerabilidad de tipo XSS reflejada en varias páginas en versión 22 de la aplicación Gibbon que permite una ejecución arbitraria de JavaScript (gibbonCourseClassID, gibbonPersonID, subpage, currentDate o allStudents a index.php) • https://github.com/5qu1n7/CVE-2021-40492 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •