CVE-2023-33178

Name of the Vulnerable Software and Affected Versions Xibo versions 1.4.0 through 2.3.16 Xibo versions 2.3.17 is not affected, but versions prior to 3.3.5 are affected, so the correct range is Xibo versions 3.3.0 through 3.3.4

Description A SQL injection issue was discovered in the "/dataset/data/{id}" API route. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values into the filter parameter. The values allowed in the filter parameter are checked against a deny list of commands, but this checking was done in a case-sensitive manner, making it possible to bypass these checks by using unusual case combinations.

Recommendations For Xibo versions 1.4.0 through 2.3.16, upgrade to version 2.3.17. For Xibo versions 3.3.0 through 3.3.4, upgrade to version 3.3.5. As a temporary workaround, consider restricting access to the /dataset/data/{id} API route until a patch is available. Avoid using the filter parameter in the affected API endpoint until the issue is resolved.