CVE-2023-33179

Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.5 in the `nameFilter` function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators. Users should upgrade to version 3.3.5 which fixes this issue. There are no known workarounds aside from upgrading.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://claroty.com/team82/disclosure-dashboard	Third Party Advisory
https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5	Vendor Advisory
https://xibosignage.com/blog/security-advisory-2023-05/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:xibosignage:xibo:*:*:*:*:*:*:*:*

History

06 Jun 2023, 01:01

Type	Values Removed	Values Added
References	~~(MISC) https://xibosignage.com/blog/security-advisory-2023-05/ -~~	(MISC) https://xibosignage.com/blog/security-advisory-2023-05/ - Vendor Advisory
References	~~(MISC) https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5 -~~	(MISC) https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5 - Vendor Advisory
References	~~(MISC) https://claroty.com/team82/disclosure-dashboard -~~	(MISC) https://claroty.com/team82/disclosure-dashboard - Third Party Advisory
CWE		CWE-89
CPE		cpe:2.3:a:xibosignage:xibo::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

30 May 2023, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-05-30 21:15

Updated : 2024-02-04 23:37

NVD link : CVE-2023-33179

Mitre link : CVE-2023-33179

CVE.ORG link : CVE-2023-33179

JSON object : View

Products Affected

xibosignage

xibo

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2023-33179", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-05-30T21:15:09.077", "references": [{"url": "https://claroty.com/team82/disclosure-dashboard", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jmx8-cgm4-7mf5", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://xibosignage.com/blog/security-advisory-2023-05/", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.5 in the `nameFilter` function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators. Users should upgrade to version 3.3.5 which fixes this issue. There are no known workarounds aside from upgrading."}], "lastModified": "2023-06-06T01:01:56.027", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xibosignage:xibo:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "401215DE-8684-4986-BB19-3B16AF2155C7", "versionEndExcluding": "3.3.5", "versionStartIncluding": "3.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}