Summary
An XSS vulnerability allows authorized users to execute JavaScript via the DataSet functionality.
Impact
Users can design a DataSet with a HTML column which contains JavaScript, which is intended functionality. The JavaScript gets executed on the Data Entry page and in any Layouts which reference it.
Patches
This behaviour has been changed in 4.1.0 to show HTML/CSS/JS as code on the Data Entry page.
Workarounds
There are no workarounds for this issue.
References
Reporter ref: K-Xibo-2024-001 Xibo CMS Cross Site Scripting
Acknowledgements
The vulnerability was discovered by Sergey Bobrov (Kaspersky, https://kaspersky.com/)
https://github.com/BlackFan
Summary
An XSS vulnerability allows authorized users to execute JavaScript via the DataSet functionality.
Impact
Users can design a DataSet with a HTML column which contains JavaScript, which is intended functionality. The JavaScript gets executed on the Data Entry page and in any Layouts which reference it.
Patches
This behaviour has been changed in 4.1.0 to show HTML/CSS/JS as code on the Data Entry page.
Workarounds
There are no workarounds for this issue.
References
Reporter ref: K-Xibo-2024-001 Xibo CMS Cross Site Scripting
Acknowledgements
The vulnerability was discovered by Sergey Bobrov (Kaspersky, https://kaspersky.com/)
https://github.com/BlackFan