Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of the vulnerability is possible on behalf of an authorized user who has any of the following privileges: Page which shows all Layouts that have been created for the purposes of Layout Management; page which shows all Campaigns that have been created for the purposes of Campaign Management; and page which shows all Reports that have been Saved. Users should upgrade to version 4.4.1 which fixes this issue. Upgrading to a fixed version is necessary to remediate.
AnalysisAI
Xibo CMS before version 4.4.1 allows authenticated users to bypass access controls and view campaigns, regions, and reports belonging to other users by manually constructing preview URLs. The vulnerability affects any authenticated user with Layout Management, Campaign Management, or Report viewing privileges and results in unauthorized information disclosure with no impact on data integrity or availability.
Technical ContextAI
Xibo is an open-source digital signage platform consisting of a web-based content management system (CMS) and Windows display player software. The vulnerability stems from inadequate authorization checks on preview and export functionality (CWE-639: Authorization Through User-Controlled Key), where the application fails to verify that the requesting user owns or has explicit permission to access the resource being previewed or exported. The flaw affects three distinct functional areas: Layout Management pages displaying all created layouts, Campaign Management pages displaying all campaigns, and Report pages displaying saved reports. Attackers exploit this by manipulating URL parameters to reference other users' resources, bypassing the intended access control model.
RemediationAI
The primary remediation is to upgrade Xibo CMS to version 4.4.1 or later, which implements proper authorization checks on preview and export endpoints. Organizations unable to patch immediately should restrict access to Layout Management, Campaign Management, and Report viewing pages to trusted users only, using network access controls or web application firewall rules to limit who can reach these URLs. Additionally, implement monitoring on preview and export endpoints to detect suspicious URL parameter manipulation targeting resources not owned by the requesting user. Separate user accounts by functional role (Layout managers, Campaign managers, Report viewers) and use minimal-privilege assignment to reduce the attack surface. These compensating controls do not eliminate the vulnerability but significantly reduce the likelihood and impact of exploitation by limiting the pool of authenticated users who can access these pages.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25367