We recommend everyone upgrade to 3.3.10 or 4.0.9 or latest release as soon as possible. All affected CMS instances on our Cloud platform have been fully patched. For further information on each advisory please see the CVE link below.
Thanks to @Saadet-T (Saadet Elif Tokuoğlu) for responsibly disclosing these vulnerabilities and allowing us time to release 3.3.10/4.0.9.
Disclosure Timeline
16th March 16:00 - A draft security advisory was submitted by Saadet
17th March 16:00 - The issue was acknowledged and confirmed by Xibo
18th March 11:40 - Patches produced and applied to Xibo Cloud Hosting
18th March 13:38 - 3.3.10 released
18th March 15:01 - 4.0.9 released
11th April - Public disclosure
Issue #1 - Session Hijacking via XSS attack in header and session grid
Some request headers are not correctly sanitised when stored in the session and display tables.
These headers can be used to inject a malicious script into the session page to exfiltrate session IDs and User Agents. These session IDs / User Agents can subsequently be used to hijack active sessions.
A malicious script can be injected into the display grid to exfiltrate information related to displays.
Versions affected: 1.8.0 and later. Fixed in 3.3.10 and 4.0.9
After extensive research we have determined that CMS instances hosted via our Cloud platform have not been exploited. All CMS instances hosted by Xibo of any version have been patched.
CVE-2024-29022
Issue #2 - Session Hijacking via token exposure on the session page
Session tokens are exposed in the return of session search API call on the sessions page. Subsequently they can be exfiltrated and used to hijack a session.
Users must be granted access to the session page, or be a super admin.
Versions affected: 1.8.0 and later. Fixed in 3.3.10 and 4.0.9
After extensive research we have determined that CMS instances hosted via our Cloud platform have not been exploited. All CMS instances hosted by Xibo of any version have been patched.
More
Read more from the blog
Top 7 Retail Digital Signage Trends in 2025
Learn more about 2025’s retail digital signage trends. Whether retail media networks or AI-driven retail media planning, the upcoming year has a lot in store for retailers.
Holiday Opening Times and Dispatch Deadlines 2024/2025
Please note our holiday opening hours and dispatch deadlines for 2024/25.
More
Read more from the blog