CVE-2023-33177
published 2023-05-30CVE-2023-33177: Xibo is a content management system (CMS). A path traversal vulnerability exists in the Xibo CMS whereby a specially crafted zip file can be uploaded to the…
PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
7.09%
93.4th percentile
Xibo is a content management system (CMS). A path traversal vulnerability exists in the Xibo CMS whereby a specially crafted zip file can be uploaded to the CMS via the layout import function by an authenticated user which would allow creation of files outside of the CMS library directory as the webserver user. This can be used to upload a PHP webshell inside the web root directory and achieve remote code execution as the webserver user. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. Customers who host their CMS with Xibo Signage have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xibosignage | xibo | >= 1.8.0 < 2.3.17 | 2.3.17 |
| xibosignage | xibo | >= 3.0.0 < 3.3.5 | 3.3.5 |
| xibosignage | xibo-cms | — | — |
| xibosignage | xibo-cms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for ZIP file uploads to the Xibo layout import endpoint containing path traversal sequences (../../) within mapping.json's 'file' field entries. ↗
- →Alert on ZIP archive entries whose stored paths contain traversal sequences such as 'library/../../' targeting the Xibo CMS layout import function. ↗
- →Detect creation of new .php files under the web root directory (/var/www/cms/web/) by the webserver user process, which is anomalous and indicative of successful Zip Slip exploitation. ↗
- →Monitor HTTP GET requests to /shell.php with a 'cmd' query parameter on Xibo CMS hosts as a post-exploitation webshell access indicator. ↗
- →Inspect uploaded ZIP files for a mapping.json containing a 'file' key with value starting with '../../' — this is the direct path traversal trigger used in exploitation. ↗
- →The exploit requires an authenticated session with layout import permission; correlate suspicious layout imports (Design → Layouts → Import) with subsequent new PHP file creation events. ↗
- ·Exploitation requires valid authenticated credentials with layout import permission — this is not an unauthenticated attack vector. ↗
- ·The webshell is written to disk even if the import process returns JSON errors; defenders should not rely on import failure as evidence that exploitation was unsuccessful. ↗
- ·Affected version range spans two major branches: 1.8.0–2.3.16 and 3.0.0–3.3.4; patched versions are 2.3.17+ and 3.3.5+. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No writeups or analysis indexed.
https://claroty.com/team82/disclosure-dashboardhttps://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqvhttps://xibosignage.com/blog/security-advisory-2023-05/https://claroty.com/team82/disclosure-dashboardhttps://github.com/xibosignage/xibo-cms/commit/1cbba380fa751a00756e70d7b08b5c6646092658https://github.com/xibosignage/xibo-cms/commit/45c6b53c3978639db03b63270a56f4397f49b2c9https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-jj27-x85q-crqvhttps://xibosignage.com/blog/security-advisory-2023-05/
2023-05-30
Published