CVE-2023-33179

MEDIUM

Xibo 3.2.0-3.3.4 - Authenticated SQL Injection via nameFilter Function

Title source: llm
STIX 2.1

Description

Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.5 in the `nameFilter` function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators. Users should upgrade to version 3.3.5 which fixes this issue. There are no known workarounds aside from upgrading.

References (3)

Core 3
Core References
Third Party Advisory x_refsource_misc
https://claroty.com/team82/disclosure-dashboard

Scores

CVSS v3 6.5
EPSS 0.0062
EPSS Percentile 45.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
xibosignage/xibo 3.2.0 - 3.3.5
Published May 30, 2023
Tracked Since Feb 18, 2026