CVE-2024-41803

Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for viewing DataSet data. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch	Patch Vendor Advisory
https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv	Patch Vendor Advisory
https://xibosignage.com/blog/security-advisory-2024-07	Vendor Advisory
https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch	Patch Vendor Advisory
https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv	Patch Vendor Advisory
https://xibosignage.com/blog/security-advisory-2024-07	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:xibosignage:xibo::::::::
	cpe:2.3:a:xibosignage:xibo::::::::

History

No history.

Information

Published : 2024-07-30 16:15

Updated : 2024-11-21 09:33

NVD link : CVE-2024-41803

Mitre link : CVE-2024-41803

CVE.ORG link : CVE-2024-41803

JSON object : View

Products Affected

xibosignage

xibo

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2024-41803", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2024-07-30T16:15:04.643", "references": [{"url": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://xibosignage.com/blog/security-advisory-2024-07", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-hpc5-mxfq-44hv", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://xibosignage.com/blog/security-advisory-2024-07", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for viewing DataSet data. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue."}, {"lang": "es", "value": "Xibo es un sistema de gesti\u00f3n de contenidos (CMS). Se descubri\u00f3 una vulnerabilidad de inyecci\u00f3n SQL en las rutas API dentro del CMS responsable del filtrado de conjuntos de datos. Esto permite a un usuario autenticado obtener datos arbitrarios de la base de datos Xibo inyectando valores especialmente manipulados en la API para ver los datos del DataSet. Los usuarios deben actualizar a la versi\u00f3n 3.3.12 o 4.0.14, que soluciona este problema."}], "lastModified": "2024-11-21T09:33:06.280", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xibosignage:xibo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A20B9BFF-DDA4-424F-BC7E-1133A9AB1C2C", "versionEndExcluding": "3.3.12", "versionStartIncluding": "2.1.0"}, {"criteria": "cpe:2.3:a:xibosignage:xibo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A00D67E-5432-413A-9E64-4635502A945F", "versionEndExcluding": "4.0.14", "versionStartIncluding": "4.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}