CVE-2024-43412

Name of the Vulnerable Software and Affected Versions Xibo versions prior to 4.1.0

Description Xibo is an open source digital signage platform with a web content management system (CMS). A cross-site scripting issue allows authorized users to execute arbitrary JavaScript via the file preview function. Users can upload HTML/CSS/JS files into the Xibo Library via the Generic File module to be referenced on Displays and in Layouts. When previewing these resources from the Library and Layout editor, they are executed in the user's browser. This behavior has been changed in version 4.1.0 to disable previewing of generic files. Users are encouraged to use the new developer tools in 4.1 to design their widgets which require this type of functionality.

Recommendations For versions prior to 4.1.0, update to version 4.1.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the file preview function for generic files until the update is applied. Additionally, users are advised to use the new developer tools in 4.1 to design their widgets which require this type of functionality.