Xibosignage Xibo vulnerabilities
19 known vulnerabilities affecting xibosignage/xibo.
Total CVEs
19
CISA KEV
0
Public exploits
5
Exploited in wild
0
Severity breakdown
HIGH5MEDIUM14
Vulnerabilities
Page 1 of 1
CVE-2023-33177P2HIGHCVSS 8.8PoC≥ 1.8.0, < 2.3.17≥ 3.0.0, < 3.3.52023-05-30
CVE-2023-33177 [HIGH] CWE-22 CVE-2023-33177: Xibo is a content management system (CMS). A path traversal vulnerability exists in the Xibo CMS whe
Xibo is a content management system (CMS). A path traversal vulnerability exists in the Xibo CMS whereby a specially crafted zip file can be uploaded to the CMS via the layout import function by an authenticated user which would allow creation of files outside of the CMS library directory as the webserver user. This can be used to upload a PHP webshell
nvd
CVE-2025-62369P3HIGHCVSS 7.2PoC≥ 4.1.0, < 4.3.12025-11-04
CVE-2025-62369 [HIGH] CWE-94 CVE-2025-62369: Xibo is an open source digital signage platform with a web content management system (CMS). Versions
Xibo is an open source digital signage platform with a web content management system (CMS). Versions 4.3.0 and below contain a Remote Code Execution vulnerability in the CMS Developer menu's Module Templating functionality, allowing authenticated users with "System -> Add/Edit custom modules and templates" permissions to manipulate Twig filters and exe
nvd
CVE-2013-5979P3MEDIUMCVSS 5.0PoCv1.2.0v1.2.1+3 more2013-10-02
CVE-2013-5979 [MEDIUM] CWE-22 CVE-2013-5979: Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 a
Directory traversal vulnerability in Spring Signage Xibo 1.2.x before 1.2.3 and 1.4.x before 1.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter to index.php.
nvd
CVE-2026-31952P3HIGHCVSS 8.1≥ 1.7.0, < 4.4.12026-04-24
CVE-2026-31952 [HIGH] CWE-89 CVE-2026-31952: Xibo is an open source digital signage platform with a web content management system and Windows dis
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by i
nvd
CVE-2024-41802P3HIGHCVSS 8.1≥ 2.1.0, < 3.3.12≥ 4.0.0, < 4.0.142024-07-30
CVE-2024-41802 [HIGH] CWE-89 CVE-2024-41802: Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the APIs for importing JSON and importing a Layout contai
nvd
CVE-2013-4889P4MEDIUMCVSS 6.8PoCv1.4.22014-01-29
CVE-2013-4889 [MEDIUM] CVE-2013-4889: Multiple cross-site request forgery (CSRF) vulnerabilities in index.php in Digital Signage Xibo 1.4.
Multiple cross-site request forgery (CSRF) vulnerabilities in index.php in Digital Signage Xibo 1.4.2 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new administrator via the AddUser action or (2) conduct cross-site scripting (XSS) attacks, as demonstrated by CVE-2013-4888.
nvd
CVE-2023-33178P3MEDIUMCVSS 6.5≥ 1.4.0, < 2.3.17≥ 3.0.0, < 3.3.52023-05-30
CVE-2023-33178 [MEDIUM] CWE-89 CVE-2023-33178: Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `/da
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `/dataset/data/{id}` API route inside the CMS starting in version 1.4.0 and prior to versions 2.3.17 and 3.3.5. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `filter` parameter.
nvd
CVE-2024-41804P3MEDIUMCVSS 6.5≥ 2.1.0, < 3.3.12≥ 4.0.0, < 4.0.142024-07-30
CVE-2024-41804 [MEDIUM] CWE-89 CVE-2024-41804: Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `formula` parameter. Users shoul
nvd
CVE-2013-4887P3HIGHCVSS 7.5v1.4.22014-01-29
CVE-2013-4887 [HIGH] CWE-89 CVE-2013-4887: SQL injection vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to ex
SQL injection vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to execute arbitrary SQL commands via the displayid parameter.
nvd
CVE-2023-33180P3MEDIUMCVSS 6.5≥ 3.2.0, < 3.3.52023-05-30
CVE-2023-33180 [MEDIUM] CWE-89 CVE-2023-33180: Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.2 in the `/display/map` API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `bounds` parameter. Users should upgra
nvd
CVE-2013-4888P4MEDIUMCVSS 4.3PoCv1.4.22014-01-29
CVE-2013-4888 [MEDIUM] CWE-79 CVE-2013-4888: Cross-site scripting (XSS) vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote at
Cross-site scripting (XSS) vulnerability in index.php in Digital Signage Xibo 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the layout parameter in the layout page.
nvd
CVE-2023-33179P3MEDIUMCVSS 6.5≥ 3.2.0, < 3.3.52023-05-30
CVE-2023-33179 [MEDIUM] CWE-89 CVE-2023-33179: Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.5 in the `nameFilter` function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators. Users should upgrad
nvd
CVE-2024-41803P4MEDIUMCVSS 4.9≥ 2.1.0, < 3.3.12≥ 4.0.0, < 4.0.142024-07-30
CVE-2024-41803 [MEDIUM] CWE-89 CVE-2024-41803: Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for viewing DataSet data. Users should upgrade to version
nvd
CVE-2026-31955P4MEDIUMCVSS 4.9fixed in 4.4.12026-04-24
CVE-2026-31955 [MEDIUM] CWE-918 CVE-2026-31955: Xibo is an open source digital signage platform with a web content management system and Windows dis
Xibo is an open source digital signage platform with a web content management system and Windows display player software. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.4.1 allows users with DataSet permissions to make arbitrary HTTP requests from the CMS server to internal or external network resources. Thi
nvd
CVE-2023-33181P4MEDIUMCVSS 5.3≥ 3.0.0, < 3.3.52023-05-30
CVE-2023-33181 [MEDIUM] CWE-209 CVE-2023-33181: Xibo is a content management system (CMS). Starting in version 3.0.0 and prior to version 3.3.5, som
Xibo is a content management system (CMS). Starting in version 3.0.0 and prior to version 3.3.5, some API routes will print a stack trace when called with missing or invalid parameters revealing sensitive information about the locations of paths that the server is using. Users should upgrade to version 3.3.5, which fixes this issue. There are no kno
nvd
CVE-2024-43412P4MEDIUMCVSS 5.4fixed in 4.1.02024-09-03
CVE-2024-43412 [MEDIUM] CWE-79 CVE-2024-43412: Xibo is an open source digital signage platform with a web content management system (CMS). Prior to
Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute arbitrary JavaScript via the file preview function. Users can upload HTML/CSS/JS files into the Xibo Library via the Generic File module to be reference
nvd
CVE-2026-31953P4MEDIUMCVSS 5.4fixed in 4.4.12026-04-24
CVE-2026-31953 [MEDIUM] CWE-79 CVE-2026-31953: Xibo is an open source digital signage platform with a web content management system and Windows dis
Xibo is an open source digital signage platform with a web content management system and Windows display player software. A stored Cross-Site Scripting (XSS) vulnerability in versions prior to 4.4.1 allows an authenticated user with notification creation permissions to inject arbitrary JavaScript into the notification body. When the notification is s
nvd
CVE-2026-31956P4MEDIUMCVSS 4.3fixed in 4.4.12026-04-24
CVE-2026-31956 [MEDIUM] CWE-639 CVE-2026-31956: Xibo is an open source digital signage platform with a web content management system and Windows dis
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of the vulnerability is possible on behalf of an authorized
nvd
CVE-2024-43413P4MEDIUMCVSS 4.8fixed in 4.1.02024-09-03
CVE-2024-43413 [MEDIUM] CWE-79 CVE-2024-43413: Xibo is an open source digital signage platform with a web content management system (CMS). Prior to
Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute JavaScript via the DataSet functionality. Users can design a DataSet with a HTML column which contains JavaScript, which is intended functionality. The
nvd