PT-2024-29569 · Xibo · Xibo
Sergey Bobrov
·
Published
2024-07-30
·
Updated
2024-08-23
·
CVE-2024-41802
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Xibo versions prior to 3.3.12
Xibo versions prior to 4.0.14
Description
A SQL injection issue was discovered in the API routes of Xibo, a content management system, specifically in the components responsible for filtering DataSets. This allows an authenticated user to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values into the APIs for importing JSON and importing a Layout containing DataSet data.
Recommendations
For versions prior to 3.3.12, upgrade to version 3.3.12 to resolve the issue.
For versions prior to 4.0.14, upgrade to version 4.0.14 to resolve the issue.
Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xibo