Xibosignage Xibo-Cms vulnerabilities
20 known vulnerabilities affecting xibosignage/xibo-cms.
Total CVEs
20
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
HIGH8MEDIUM12
Vulnerabilities
Page 1 of 1
CVE-2023-33177P2HIGHCVSS 8.8PoCv>= 1.8.0, < 2.3.17v>= 3.0.0, < 3.3.52023-05-30
CVE-2023-33177 [HIGH] CWE-22 CVE-2023-33177: Xibo is a content management system (CMS). A path traversal vulnerability exists in the Xibo CMS whe
Xibo is a content management system (CMS). A path traversal vulnerability exists in the Xibo CMS whereby a specially crafted zip file can be uploaded to the CMS via the layout import function by an authenticated user which would allow creation of files outside of the CMS library directory as the webserver user. This can be used to upload a PHP webshell
nvd
CVE-2025-62369P3HIGHCVSS 7.2PoCfixed in 4.3.12025-11-04
CVE-2025-62369 [HIGH] CWE-94 CVE-2025-62369: Xibo is an open source digital signage platform with a web content management system (CMS). Versions
Xibo is an open source digital signage platform with a web content management system (CMS). Versions 4.3.0 and below contain a Remote Code Execution vulnerability in the CMS Developer menu's Module Templating functionality, allowing authenticated users with "System -> Add/Edit custom modules and templates" permissions to manipulate Twig filters and exe
nvd
CVE-2026-31952P3HIGHCVSS 8.1v>= 1.7, < 4.4.12026-04-24
CVE-2026-31952 [HIGH] CWE-89 CVE-2026-31952: Xibo is an open source digital signage platform with a web content management system and Windows dis
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by i
nvd
CVE-2026-42141P3HIGHCVSS 7.7fixed in 4.4.12026-05-12
CVE-2026-42141 [HIGH] CWE-918 CVE-2026-42141: Xibo is an open source digital signage platform with a web content management system and Windows dis
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability in the Xibo CMS allows users with Library upload permissions to make arbitrary HTTP requests from the CMS server to internal or external network reso
nvd
CVE-2024-41802P3HIGHCVSS 8.1v=> 1.8.0, < 3.3.12v=> 4.0.0-alpha, < 4.0.142024-07-30
CVE-2024-41802 [HIGH] CWE-89 CVE-2024-41802: Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the APIs for importing JSON and importing a Layout contai
nvd
CVE-2024-29022P3HIGHCVSS 8.8v>=1.8.0, < 3.3.10v>= 4.0.0, < 4.0.92024-04-12
CVE-2024-29022 [HIGH] CWE-79 CVE-2024-29022: Xibo is an Open Source Digital Signage platform with a web content management system and Windows dis
Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. In affected versions some request headers are not correctly sanitised when stored in the session and display tables. These headers can be used to inject a malicious script into the session page to exfiltrate session IDs and User Age
nvd
CVE-2024-29023P3HIGHCVSS 7.2v>= 1.8.0, < 3.3.10v>= 4.0.0, < 4.0.92024-04-12
CVE-2024-29023 [HIGH] CWE-200 CVE-2024-29023: Xibo is an Open Source Digital Signage platform with a web content management system and Windows dis
Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. Session tokens are exposed in the return of session search API call on the sessions page. Subsequently they can be exfiltrated and used to hijack a session. Users must be granted access to the session page, or be a super admin. Use
nvd
CVE-2026-42558P3HIGHCVSS 7.6fixed in 4.4.22026-06-10
CVE-2026-42558 [HIGH] CWE-79 CVE-2026-42558: Xibo is an open source digital signage platform with a web content management system and Windows dis
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.2, a vulnerability chain consisting of Stored XSS and Iframe Sandbox escape in the Xibo CMS allows users with DataSet permissions to use the Data Connector functionality to craft messages which escape the sandbox and fa
nvd
CVE-2023-33178P3MEDIUMCVSS 6.5v>= 1.4.0, < 2.3.17v>= 3.0.0, < 3.3.52023-05-30
CVE-2023-33178 [MEDIUM] CWE-89 CVE-2023-33178: Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `/da
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `/dataset/data/{id}` API route inside the CMS starting in version 1.4.0 and prior to versions 2.3.17 and 3.3.5. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `filter` parameter.
nvd
CVE-2024-41804P3MEDIUMCVSS 6.5v=> 2.1.0, < 3.3.12v=> 4.0.0-alpha, < 4.0.142024-07-30
CVE-2024-41804 [MEDIUM] CWE-89 CVE-2024-41804: Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `formula` parameter. Users shoul
nvd
CVE-2023-33180P3MEDIUMCVSS 6.5v>= 3.2.0, < 3.3.52023-05-30
CVE-2023-33180 [MEDIUM] CWE-89 CVE-2023-33180: Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.2 in the `/display/map` API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `bounds` parameter. Users should upgra
nvd
CVE-2024-41944P3MEDIUMCVSS 6.5v=> 2.1.0, < 3.3.12v=> 4.0.0-alpha, < 4.0.142024-07-30
CVE-2024-41944 [MEDIUM] CWE-89 CVE-2024-41944: Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `rep
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `report/data/proofofplayReport` API route inside the CMS. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the `sortBy` parameter. Users should upgrade to version 3.
nvd
CVE-2023-33179P3MEDIUMCVSS 6.5v>= 3.2.0, < 3.3.52023-05-30
CVE-2023-33179 [MEDIUM] CWE-89 CVE-2023-33179: Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.5 in the `nameFilter` function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators. Users should upgrad
nvd
CVE-2024-41803P4MEDIUMCVSS 4.9v=> 2.1.0, < 3.3.12v=> 4.0.0-alpha, < 4.0.142024-07-30
CVE-2024-41803 [MEDIUM] CWE-89 CVE-2024-41803: Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for viewing DataSet data. Users should upgrade to version
nvd
CVE-2026-31955P4MEDIUMCVSS 4.9fixed in 4.4.12026-04-24
CVE-2026-31955 [MEDIUM] CWE-918 CVE-2026-31955: Xibo is an open source digital signage platform with a web content management system and Windows dis
Xibo is an open source digital signage platform with a web content management system and Windows display player software. An authenticated Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.4.1 allows users with DataSet permissions to make arbitrary HTTP requests from the CMS server to internal or external network resources. Thi
nvd
CVE-2023-33181P4MEDIUMCVSS 5.3v>= 3.0.0, < 3.3.52023-05-30
CVE-2023-33181 [MEDIUM] CWE-209 CVE-2023-33181: Xibo is a content management system (CMS). Starting in version 3.0.0 and prior to version 3.3.5, som
Xibo is a content management system (CMS). Starting in version 3.0.0 and prior to version 3.3.5, some API routes will print a stack trace when called with missing or invalid parameters revealing sensitive information about the locations of paths that the server is using. Users should upgrade to version 3.3.5, which fixes this issue. There are no kno
nvd
CVE-2024-43412P4MEDIUMCVSS 5.4fixed in 4.1.02024-09-03
CVE-2024-43412 [MEDIUM] CWE-79 CVE-2024-43412: Xibo is an open source digital signage platform with a web content management system (CMS). Prior to
Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute arbitrary JavaScript via the file preview function. Users can upload HTML/CSS/JS files into the Xibo Library via the Generic File module to be reference
nvd
CVE-2026-31953P4MEDIUMCVSS 5.4fixed in 4.4.12026-04-24
CVE-2026-31953 [MEDIUM] CWE-79 CVE-2026-31953: Xibo is an open source digital signage platform with a web content management system and Windows dis
Xibo is an open source digital signage platform with a web content management system and Windows display player software. A stored Cross-Site Scripting (XSS) vulnerability in versions prior to 4.4.1 allows an authenticated user with notification creation permissions to inject arbitrary JavaScript into the notification body. When the notification is s
nvd
CVE-2026-31956P4MEDIUMCVSS 4.3fixed in 4.4.12026-04-24
CVE-2026-31956 [MEDIUM] CWE-639 CVE-2026-31956: Xibo is an open source digital signage platform with a web content management system and Windows dis
Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of the vulnerability is possible on behalf of an authorized
nvd
CVE-2024-43413P4MEDIUMCVSS 4.8fixed in 4.1.02024-09-03
CVE-2024-43413 [MEDIUM] CWE-79 CVE-2024-43413: Xibo is an open source digital signage platform with a web content management system (CMS). Prior to
Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute JavaScript via the DataSet functionality. Users can design a DataSet with a HTML column which contains JavaScript, which is intended functionality. The
nvd