Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.2 in the `/display/map` API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `bounds` parameter. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading.
References
Link | Resource |
---|---|
https://claroty.com/team82/disclosure-dashboard | Third Party Advisory |
https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89 | Vendor Advisory |
https://xibosignage.com/blog/security-advisory-2023-05/ | Vendor Advisory |
https://claroty.com/team82/disclosure-dashboard | Third Party Advisory |
https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89 | Vendor Advisory |
https://xibosignage.com/blog/security-advisory-2023-05/ | Vendor Advisory |
Configurations
History
21 Nov 2024, 08:05
Type | Values Removed | Values Added |
---|---|---|
References | () https://claroty.com/team82/disclosure-dashboard - Third Party Advisory | |
References | () https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89 - Vendor Advisory | |
References | () https://xibosignage.com/blog/security-advisory-2023-05/ - Vendor Advisory |
06 Jun 2023, 01:11
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89 - Vendor Advisory | |
References | (MISC) https://xibosignage.com/blog/security-advisory-2023-05/ - Vendor Advisory | |
References | (MISC) https://claroty.com/team82/disclosure-dashboard - Third Party Advisory | |
First Time |
Xibosignage
Xibosignage xibo |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
CPE | cpe:2.3:a:xibosignage:xibo:*:*:*:*:*:*:*:* | |
CWE | CWE-89 |
30 May 2023, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-05-30 21:15
Updated : 2024-11-21 08:05
NVD link : CVE-2023-33180
Mitre link : CVE-2023-33180
CVE.ORG link : CVE-2023-33180
JSON object : View
Products Affected
xibosignage
- xibo
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')