Impact
An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for viewing DataSet data.
Exploitation of the vulnerability is possible on behalf of an authorized user who has the following privileges:
- Access to DataSet Feature
Patches
Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue. Customers who host their CMS with Xibo Signage have been patched across all vulnerable versions.
Workarounds
Upgrading to a fixed version is necessary to remediate.
Patches are available for earlier versions of Xibo CMS that are out of security support:
References
Xibo Signage Security Advisory - https://xibosignage.com/blog/security-advisory-2024-07
Reporter ref: K-Xibo-2024-010 Xibo CMS SQL Injection
Acknowledgements
The vulnerability was discovered by Sergey Bobrov (Kaspersky, https://kaspersky.com/)
https://github.com/BlackFan
Impact
An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for viewing DataSet data.
Exploitation of the vulnerability is possible on behalf of an authorized user who has the following privileges:
- Access to DataSet Feature
Patches
Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue. Customers who host their CMS with Xibo Signage have been patched across all vulnerable versions.
Workarounds
Upgrading to a fixed version is necessary to remediate.
Patches are available for earlier versions of Xibo CMS that are out of security support:
References
Xibo Signage Security Advisory - https://xibosignage.com/blog/security-advisory-2024-07
Reporter ref: K-Xibo-2024-010 Xibo CMS SQL Injection
Acknowledgements
The vulnerability was discovered by Sergey Bobrov (Kaspersky, https://kaspersky.com/)
https://github.com/BlackFan