Feature image

Security Advisory - 5 issues affecting the CMS

Share

We recommend everyone upgrade to 2.3.17 or 3.3.5 as soon as possible. All affected CMS instances on our Cloud platform have been fully patched. For further information on each advisory please see the CVE link below.

Thanks to Noam Moshe of Claroty Research - Team82 for responsibly disclosing these vulnerabilities and allowing us time to release 2.3.17/3.3.5.

Issue #1 - Path Traversal and RCE
It is possible for a logged in user of the CMS to upload a specially constructed ZIP file which will place malicious files on the web server and achieve remote code execution.
Versions affected: 1.8.0 and later. Fixed in 2.3.17 and 3.3.5

The configuration of our Cloud platform makes this exploit significantly harder or potentially impossible to exploit.

CVE-2023-33177

Issue #2 - SQL Injection
It is possible for a logged in user of the CMS to use SQL injection to pull sensitive information from the database.
Versions affected: 1.4.0 and later. Fixed in 2.3.17 and 3.3.5

CVE-2023-33178

Issue #3 - SQL Injection
It is possible for a logged in user of the CMS to use SQL injection to pull sensitive information from the database.
Versions affected: 3.2.0 and later. Fixed in 3.3.5

CVE-2023-33179

Issue #4 - SQL Injection
It is possible for a logged in user of the CMS to use SQL injection to pull sensitive information from the database.
Versions affected: 3.2.0 and later. Fixed in 3.3.5

CVE-2023-33180

Issue #5 - Exposed Stack Trace
Information related to the directory structure on the server was output in an error message.
Versions affected: 3.0.0 and later. Fixed in 3.3.5

CVE-2023-33181

More

Read more from the blog

View Post

Device Repurposing: The Key to Sustainable Signage?

Learn why device repurposing is the key to maximising sustainability and how ChromeOS Flex can turn outdated devices into reliable digital signage players without compromising on performance or security.

View Post
View Post

How to Maximise Efficiency With Remote Device Management

In the third instalment of our ChromeOS Essentials series, you'll learn how all you need to know about RDM and how it can be used to simplify the deployment and management of your digital signage network.

View Post
View Post

Minimal Downtime: Why Reliability Is Key to Digital Signage Success

In the second part of ChromeOS Essentials, learn key strategies for minimising digital signage downtime, from choosing your operating system and CMS, to proactive planning and physical security.

View Post

More

Read more from the blog

View Post

Device Repurposing: The Key to Sustainable Signage?

Learn why device repurposing is the key to maximising sustainability and how ChromeOS Flex can turn outdated devices into reliable digital signage players without compromising on performance or security.

View Post
View Post

How to Maximise Efficiency With Remote Device Management

In the third instalment of our ChromeOS Essentials series, you'll learn how all you need to know about RDM and how it can be used to simplify the deployment and management of your digital signage network.

View Post
View Post

Minimal Downtime: Why Reliability Is Key to Digital Signage Success

In the second part of ChromeOS Essentials, learn key strategies for minimising digital signage downtime, from choosing your operating system and CMS, to proactive planning and physical security.

View Post