PT-2025-33888 · Xibo Signage · Xibo Cms
Published
2025-08-19
·
Updated
2026-03-20
·
CVE-2025-41089
CVSS v4.0
4.8
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Xibo CMS version 4.1.2
Description
A reflected Cross-Site Scripting (XSS) issue exists in Xibo CMS due to insufficient validation of user input. An attacker can exploit this by creating a template in the 'Templates' section and adding an element with a 'Configuration Name' field, such as the 'Clock' widget. The attacker then modifies the
Configuration Name field. This allows for the injection of malicious scripts.Recommendations
Update Xibo CMS to a version with a fix for this issue. As a temporary workaround, carefully review and sanitize all user-provided input for the 'Configuration Name' field in templates.
Fix
LPE
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xibo Cms