CVE-2024-41802

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

ibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the APIs for importing JSON and importing a Layout containing DataSet data. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue

References

Link	Resource
https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075	Patch Vendor Advisory
https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2	Patch Vendor Advisory
https://xibosignage.com/blog/security-advisory-2024-07	Vendor Advisory
https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075	Patch Vendor Advisory
https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2	Patch Vendor Advisory
https://xibosignage.com/blog/security-advisory-2024-07	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:xibosignage:xibo::::::::
	cpe:2.3:a:xibosignage:xibo::::::::

History

21 Nov 2024, 09:33

Type	Values Removed	Values Added
References	~~() https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075 - Patch, Vendor Advisory~~	() https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075 - Patch, Vendor Advisory
References	~~() https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2 - Patch, Vendor Advisory~~	() https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2 - Patch, Vendor Advisory
References	~~() https://xibosignage.com/blog/security-advisory-2024-07 - Vendor Advisory~~	() https://xibosignage.com/blog/security-advisory-2024-07 - Vendor Advisory

23 Aug 2024, 13:42

Type	Values Removed	Values Added
CPE		cpe:2.3:a:xibosignage:xibo::::::::
First Time		Xibosignage xibo Xibosignage
References	~~() https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075 -~~	() https://github.com/xibosignage/xibo-cms/commit/b7a5899338cd841a39702e3fcaff76aa0ffe4075 - Patch, Vendor Advisory
References	~~() https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2 -~~	() https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-x4qm-vvhp-g7c2 - Patch, Vendor Advisory
References	~~() https://xibosignage.com/blog/security-advisory-2024-07 -~~	() https://xibosignage.com/blog/security-advisory-2024-07 - Vendor Advisory

31 Jul 2024, 12:57

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-07-30 16:15

Updated : 2024-11-21 09:33

NVD link : CVE-2024-41802

Mitre link : CVE-2024-41802

CVE.ORG link : CVE-2024-41802

JSON object : View

Products Affected

xibosignage

xibo

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

8.1 /10