SQL Injection Vulnerability in Xibo Content Management System
CVE-2024-41802

8.1HIGH

Key Information:

Vendor

Xibosignage

Status
Xibo
Vendor
CVE Published:
30 July 2024

What is CVE-2024-41802?

An SQL injection vulnerability exists in the Xibo content management system that impacts the API routes involved in Filtering DataSets. It permits authenticated users to inject maliciously crafted input via the APIs used for importing JSON and Layouts that include DataSet data. This vulnerability could lead to unauthorized access and manipulation of sensitive information within the Xibo database. Affected users are advised to upgrade to versions 3.3.12 or 4.0.14, which provide necessary patches to mitigate this issue.

References

https://github.com/xibosignage/xibo-cms/security/advisori...
https://github.com/xibosignage/xibo-cms/commit/b7a5899338...
https://xibosignage.com/blog/security-advisory-2024-07

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.