We recommend everyone upgrade to 3.3.10 or 4.0.9 or latest release as soon as possible. All affected CMS instances on our Cloud platform have been fully patched. For further information on each advisory please see the CVE link below.
Thanks to @Saadet-T (Saadet Elif Tokuoğlu) for responsibly disclosing these vulnerabilities and allowing us time to release 3.3.10/4.0.9.
Disclosure Timeline
16th March 16:00 - A draft security advisory was submitted by Saadet
17th March 16:00 - The issue was acknowledged and confirmed by Xibo
18th March 11:40 - Patches produced and applied to Xibo Cloud Hosting
18th March 13:38 - 3.3.10 released
18th March 15:01 - 4.0.9 released
11th April - Public disclosure
Issue #1 - Session Hijacking via XSS attack in header and session grid
Some request headers are not correctly sanitised when stored in the session and display tables.
These headers can be used to inject a malicious script into the session page to exfiltrate session IDs and User Agents. These session IDs / User Agents can subsequently be used to hijack active sessions.
A malicious script can be injected into the display grid to exfiltrate information related to displays.
Versions affected: 1.8.0 and later. Fixed in 3.3.10 and 4.0.9
After extensive research we have determined that CMS instances hosted via our Cloud platform have not been exploited. All CMS instances hosted by Xibo of any version have been patched.
CVE-2024-29022
Issue #2 - Session Hijacking via token exposure on the session page
Session tokens are exposed in the return of session search API call on the sessions page. Subsequently they can be exfiltrated and used to hijack a session.
Users must be granted access to the session page, or be a super admin.
Versions affected: 1.8.0 and later. Fixed in 3.3.10 and 4.0.9
After extensive research we have determined that CMS instances hosted via our Cloud platform have not been exploited. All CMS instances hosted by Xibo of any version have been patched.
More
Read more from the blog
Announcing Xibo for ChromeOS!
We’re thrilled to announce a new player in collaboration with ChromeOS. Bringing you Xibo for ChromeOS!
Xibo CMS v4.2.0 Released
Xibo v4.2 brings with it a host of new improvements that will improve the user experience and add new functionality.
More
Read more from the blog
Announcing Xibo for ChromeOS!
We’re thrilled to announce a new player in collaboration with ChromeOS. Bringing you Xibo for ChromeOS!
Xibo CMS v4.2.0 Released
Xibo v4.2 brings with it a host of new improvements that will improve the user experience and add new functionality.
