File Upload Vulnerability in GibbonEdu by Gibbon
CVE-2023-45881

6.1MEDIUM

Key Information:

Vendor: Gibbonedu
Status: Gibbon
Vendor: CVE Published:; 14 November 2023

What is CVE-2023-45881?

GibbonEdu, up to version 25.0.0, contains a vulnerability that allows unauthorized file uploads through the /modules/Planner/resources_addQuick_ajaxProcess.php endpoint. By manipulating the imageAsLinks parameter, an attacker can inject HTML code into the response, leveraging the filename attribute of the bodyfile1 parameter. This opens the door for potential Cross-Site Scripting (XSS) attacks, compromising the integrity of web applications utilizing GibbonEdu.

References

https://herolab.usd.de/security-advisories/usd-2023-0024/

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 14, 2023
Vulnerability Reserved
Oct 15, 2023

Gibbonedu

What is CVE-2023-45881?

References

CVSS V3.1

Timeline