Xibo
CVE-2023-33180
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.2 in the /display/map API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the bounds parameter. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading.
AnalysisAI
Xibo is a content management system (CMS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.2 in the /display/map API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the bounds parameter. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading. Affected products include: Xibosignage Xibo. Version information: version 3.2.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.
Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attacke
Xibo is a content management system (CMS). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, l
Multiple cross-site request forgery (CSRF) vulnerabilities in index.php in Digital Signage Xibo 1.4.2 allow remote attac
Cross-site scripting (XSS) vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to inject ar
Xibo is a content management system (CMS). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, l
SQL injection vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to execute arbitrary SQL
Xibo is a content management system (CMS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable,
Xibo is a content management system (CMS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable,
Xibo is a content management system (CMS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable,
Xibo is an open source digital signage platform with a web content management system (CMS). Rated medium severity (CVSS
Xibo is a content management system (CMS). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable,
Xibo is a content management system (CMS). Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable,
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today