PT-2024-29571 · Xibo · Xibo
Sergey Bobrov
·
Published
2024-07-30
·
Updated
2024-08-23
·
CVE-2024-41804
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Xibo versions prior to 3.3.12
Xibo versions prior to 4.0.14
Description
A SQL injection issue was discovered in the API route responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values into the
formula parameter.Recommendations
For versions prior to 3.3.12, upgrade to version 3.3.12 to resolve the issue.
For versions prior to 4.0.14, upgrade to version 4.0.14 to resolve the issue.
As a temporary workaround, consider restricting access to the
formula parameter in the affected API endpoint until a patch is available.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xibo