CVE-2023-33177

Name of the Vulnerable Software and Affected Versions Xibo versions prior to 2.3.17 Xibo versions prior to 3.3.5

Description A path traversal vulnerability exists in the Xibo CMS, allowing a specially crafted zip file to be uploaded via the layout import function by an authenticated user. This enables the creation of files outside of the CMS library directory as the webserver user, potentially leading to the upload of a PHP webshell inside the web root directory and achieving remote code execution as the webserver user.

Recommendations For versions prior to 2.3.17, upgrade to version 2.3.17 to resolve the issue. For versions prior to 3.3.5, upgrade to version 3.3.5 to resolve the issue. As a temporary workaround, consider restricting access to the layout import function to minimize the risk of exploitation.