Skip to main content

Gibbon CVE-2023-34598

CRITICAL
Path Traversal (CWE-22)
2023-06-29 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 29, 2023 - 15:15 nvd
CRITICAL 9.8

DescriptionNVD

Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) where it's possible to include the content of several files present in the installation folder in the server's response.

AnalysisAI

Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) where it's possible to include the content of several files present in the installation folder in the server's response. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) where it's possible to include the content of several files present in the installation folder in the server's response. Affected products include: Gibbonedu Gibbon.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

More in Gibbon

View all
CVE-2024-24725 HIGH POC
8.8 Mar 23

Gibbon through 26.0.00 allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POS

CVE-2024-24724 CRITICAL POC
9.8 Apr 03

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Re

CVE-2023-45878 CRITICAL POC
9.8 Nov 14

GibbonEdu Gibbon version 25.0.1 and before allows Arbitrary File Write because rubrics_visualise_saveAjax.phps does not

CVE-2023-45880 HIGH POC
7.2 Nov 14

GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. Rated high severity

CVE-2024-34831 MEDIUM POC
6.1 Sep 10

cross-site scripting (XSS) vulnerability in Gibbon Core v26.0.00 allows an attacker to execute arbitrary code via the im

CVE-2023-45881 MEDIUM POC
6.1 Nov 14

GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resources_addQuick_ajaxProcess.php file upload with resu

CVE-2023-34599 MEDIUM POC
6.1 Jun 29

Multiple Cross-Site Scripting (XSS) vulnerabilities have been identified in Gibbon v25.0.0, which enable attackers to ex

CVE-2022-27311 CRITICAL
9.8 Apr 25

Gibbon v3.4.4 and below allows attackers to execute a Server-Side Request Forgery (SSRF) via a crafted URL. Rated critic

CVE-2023-45879 MEDIUM POC
5.4 Nov 14

GibbonEdu Gibbon version 25.0.0 allows HTML Injection via an IFRAME element to the Messager component. Rated medium seve

CVE-2022-27305 HIGH
8.8 May 25

Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to se

CVE-2024-51337 LOW POC
3.5 Nov 21

Cross Site Scripting vulnerability in Gibbon before v.27.0.01 and fixed in v.28.0.00 allows a remote attacker to obtain

CVE-2021-40492 MEDIUM
6.1 Sep 03

A reflected XSS vulnerability exists in multiple pages in version 22 of the Gibbon application that allows for arbitrary

Share

CVE-2023-34598 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy