CVE-2024-41804

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-41804
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `formula` parameter. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch Patch Vendor Advisory
https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr Patch Vendor Advisory
https://xibosignage.com/blog/security-advisory-2024-07 Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:xibosignage:xibo:*:*:*:*:*:*:*:*
cpe:2.3:a:xibosignage:xibo:*:*:*:*:*:*:*:*
History

23 Aug 2024, 13:39

Type Values Removed Values Added
References () https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch - () https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch - Patch, Vendor Advisory
References () https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr - () https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr - Patch, Vendor Advisory
References () https://xibosignage.com/blog/security-advisory-2024-07 - () https://xibosignage.com/blog/security-advisory-2024-07 - Vendor Advisory
CPE cpe:2.3:a:xibosignage:xibo:*:*:*:*:*:*:*:*
First Time Xibosignage
Xibosignage xibo

31 Jul 2024, 12:57

Type Values Removed Values Added
Summary
  • (es) Xibo es un sistema de gestión de contenidos (CMS). Se descubrió una vulnerabilidad de inyección SQL en la ruta API dentro del CMS responsable de agregar/editar fórmulas de columnas de conjuntos de datos. Esto permite a un usuario autenticado obtener y modificar datos arbitrarios de la base de datos Xibo inyectando valores especialmente manipulados en el parámetro "formula". Los usuarios deben actualizar a la versión 3.3.12 o 4.0.14, que soluciona este problema.

30 Jul 2024, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-07-30 16:15

Updated : 2024-08-23 13:39

NVD link : CVE-2024-41804

Mitre link : CVE-2024-41804

CVE.ORG link : CVE-2024-41804

JSON object : View

Products Affected

xibosignage

  • xibo
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024