CVE-2024-43413

Name of the Vulnerable Software and Affected Versions Xibo versions prior to 4.1.0

Description A cross-site scripting issue in Xibo CMS allows authorized users to execute JavaScript via the DataSet functionality. This occurs when a user designs a DataSet with an HTML column containing JavaScript, which is then executed on the Data Entry page and in any Layouts referencing it. The behavior was changed in version 4.1.0 to display HTML, CSS, and JavaScript as code on the Data Entry page.

Recommendations For versions prior to 4.1.0, update to version 4.1.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the DataSet functionality with HTML columns until the update is applied.