CVE-2024-29023

Name of the Vulnerable Software and Affected Versions Xibo versions prior to 3.3.10 Xibo versions prior to 4.0.9 Xibo version 1.8 Xibo version 2.3

Description Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. Session tokens are exposed in the return of session search API call on the sessions page. Subsequently, they can be exfiltrated and used to hijack a session. Users must be granted access to the session page, or be a super admin.

Recommendations For Xibo versions prior to 3.3.10, upgrade to version 3.3.10. For Xibo versions prior to 4.0.9, upgrade to version 4.0.9. For Xibo version 1.8, apply the patch a81044e6ccdd92cc967e34c125bd8162432e51bc.diff. For Xibo version 2.3, apply the patch ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff. As a temporary workaround, consider restricting access to the sessions page to minimize the risk of exploitation.