CVE-2013-4889

Digital Signage Xibo 1.4.2 - Cross-Site Request Forgery in index.php

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-4889. PoCs published by Jacob Holcomb.

AI-analyzed exploit summary This HTML-based exploit demonstrates a CSRF vulnerability in Xibo 1.4.2, allowing an attacker to add a super user and inject XSS payloads via crafted form submissions. The PoC automates the process using JavaScript to submit malicious requests to the target application.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in index.php in Digital Signage Xibo 1.4.2 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new administrator via the AddUser action or (2) conduct cross-site scripting (XSS) attacks, as demonstrated by CVE-2013-4888.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Jacob Holcomb · htmlwebappsphp
https://www.exploit-db.com/exploits/38746

This HTML-based exploit demonstrates a CSRF vulnerability in Xibo 1.4.2, allowing an attacker to add a super user and inject XSS payloads via crafted form submissions. The PoC automates the process using JavaScript to submit malicious requests to the target application.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Xibo 1.4.2
No auth needed
Prerequisites: Victim must visit the malicious HTML page while authenticated to the target Xibo instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Scores

EPSS 0.0091
EPSS Percentile 55.1%

Details

CWE
CWE-352
Status published
Products (1)
xibosignage/xibo 1.4.2
Published Jan 29, 2014
Tracked Since Feb 18, 2026