CVE-2024-41804
MEDIUMXibo 2.1.0-3.3.12 - Authenticated SQL Injection via DataSet Column Formula Parameter
Title source: llmDescription
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `formula` parameter. Users should upgrade to version 3.3.12 or 4.0.14 which fix this issue.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-4pp3-4mw7-qfwr
Patch, Vendor Advisory x_refsource_misc
https://github.com/xibosignage/xibo-cms/commit/39a2fd54b3f08831b0004aa2015bd8a753bc567f.patch
Vendor Advisory x_refsource_misc
https://xibosignage.com/blog/security-advisory-2024-07
Scores
CVSS v3
6.5
EPSS
0.0043
EPSS Percentile
35.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
xibosignage/xibo
2.1.0 - 3.3.12
Published
Jul 30, 2024
Tracked Since
Feb 18, 2026