CVE-2023-33180

Sensitive Information Disclosure abusing SQL Injection in Xibo CMS display map

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.2 in the `/display/map` API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `bounds` parameter. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading.

*Credits: N/A

CVSS Scores

NISTv3.1 6.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-05-17 CVE Reserved
2023-05-30 CVE Published
2024-08-02 CVE Updated
2024-11-09 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CAPEC

References (3)

URL	Tag	Source
https://claroty.com/team82/disclosure-dashboard	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89	2023-06-06
https://xibosignage.com/blog/security-advisory-2023-05	2023-06-06

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xibosignage Search vendor "Xibosignage"		Xibo Search vendor "Xibosignage" for product "Xibo"				>= 3.2.0 < 3.3.5 Search vendor "Xibosignage" for product "Xibo" and version " >= 3.2.0 < 3.3.5"		-		Affected