CVE-2023-33179
Summary
| CVE | CVE-2023-33179 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-05-30 21:15:00 UTC |
| Updated | 2023-06-06 01:01:00 UTC |
| Description | Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.5 in the `nameFilter` function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators. Users should upgrade to version 3.3.5 which fixes this issue. There are no known workarounds aside from upgrading. |
Risk And Classification
Problem Types: CWE-89
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Xibosignage | Xibo | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Sensitive Information Disclosure abusing SQL Injection in Xibo CMS nameFilter · Advisory · xibosignage/xibo-cms · GitHub | MISC | github.com | |
| XIoT Vulnerability Disclosure Dashboard | Claroty | MISC | claroty.com | |
| Security Advisory - 5 issues affecting the CMS | MISC | xibosignage.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.