CVE-2024-29022

Name of the Vulnerable Software and Affected Versions Xibo versions prior to 3.3.10 Xibo versions prior to 4.0.9 Xibo version 1.8 Xibo version 2.3

Description Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. In affected versions, some request headers are not correctly sanitized when stored in the session and display tables. These headers can be used to inject a malicious script into the session page to exfiltrate session IDs and User Agents. These session IDs / User Agents can subsequently be used to hijack active sessions. A malicious script can be injected into the display grid to exfiltrate information related to displays.

Recommendations For Xibo versions prior to 3.3.10, upgrade to version 3.3.10. For Xibo versions prior to 4.0.9, upgrade to version 4.0.9. For Xibo version 1.8, apply the patch a81044e6ccdd92cc967e34c125bd8162432e51bc.diff. For Xibo version 2.3, apply the patch ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff. As a temporary workaround, consider restricting access to the session and display tables until a patch is available. Avoid using the vulnerable request headers in the affected API endpoints until the issue is resolved.