Xibo CMS vulnerable to Remote Code Execution through Zip Slip
CVE-2023-33177

8.8HIGH

Key Information:

Vendor: Xibosignage
Status: Xibo-cms
Vendor: CVE Published:; 30 May 2023

🔔 Create Xibosignage Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2023-33177?

A path traversal vulnerability exists in Xibo CMS, which allows an authenticated user to upload a specially crafted zip file through the layout import function. This can lead to the creation of files outside the designated CMS library directory, enabling the potential upload of a PHP web shell within the web root directory. This breach can result in remote code execution under the web server's user privileges. Users are advised to upgrade to the patched versions, specifically 2.3.17 or 3.3.5, to mitigate this risk. Xibo Signage customers have already received necessary upgrades to address this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

xibo-cms >= 1.8.0, < 2.3.17 < 1.8.0, 2.3.17

xibo-cms >= 3.0.0, < 3.3.5 < 3.0.0, 3.3.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Xibo-CMS-Zip-Slip-RCE-Exploit-CVE-2023-33177
Created by complexusprada