CVE-2023-45881

Name of the Vulnerable Software and Affected Versions GibbonEdu Gibbon versions through 25.0.0

Description The issue allows file upload with resultant XSS through the /modules/Planner/resources addQuick ajaxProcess.php file. The imageAsLinks parameter must be set to 'Y' to return HTML code. The filename attribute of the bodyfile1 parameter is reflected in the response.

Recommendations For versions through 25.0.0, as a temporary workaround, consider restricting access to the /modules/Planner/resources addQuick ajaxProcess.php file until a patch is available. Avoid using the imageAsLinks parameter set to 'Y' and the bodyfile1 parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.