We recommend everyone upgrade to 3.3.12 or 4.0.14 or latest release as soon as possible. All affected CMS instances on our Cloud platform have been fully patched. For further information on each advisory please see the CVE link below.
Thanks to Sergey Bobrov (Kaspersky, https://kaspersky.com/) for responsibly disclosing these vulnerabilities and allowing us time to release 3.3.12/4.0.14.
Disclosure Timeline
11th July 18:00 - First advisory submitted
11th July 20:00 - Xibo acknowledged and provided patches for the issue. Xibo confirmed the issue does not effect Xibo Cloud Hosting.
12th July 09:00 to 11:00 - Draft security advisories were submitted
12th July 18:00 - 2 of the 3 issues acknowledged and recreated by Xibo, patches produced and applied to Xibo Cloud Hosting
15th July 08:30 - Remaining issue recreated by Xibo and patches applied to Xibo Cloud Hosting
15th July 14:08 - 3.3.12 released
15th July 14:24 - 4.0.14 released
30th July - Public disclosure
Issue #1 - Sensitive Information Disclosure abusing SQL Injection in Xibo CMS proof of play report
An SQL injection vulnerability was discovered in the report/data/proofofplayReport API route inside the CMS. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the sortBy parameter.
Exploitation of the vulnerability is possible on behalf of an authorized user who has the following privileges:
- Access to Reporting feature
- View access to arbitrary display
This is only possible for CMS instances configured to use MySQL as their time series store, which is the default configuration.
Versions affected: 2.1.0 and later. Fixed in 3.3.12 and 4.0.14
Issue #2 - Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Data Import
An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the APIs for importing JSON and importing a Layout containing DataSet data.
Exploitation of the vulnerability is possible on behalf of an authorized user who has either of the following privileges:
- Access to DataSet Feature
- Access to the Layout Feature
Versions affected: 1.8.0 and later. Fixed in 3.3.12 and 4.0.14
Issue #3 - Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Filter
An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for viewing DataSet data.
Exploitation of the vulnerability is possible on behalf of an authorized user who has the following privileges:
- Access to DataSet Feature
Versions affected: 2.1.0 and later. Fixed in 3.3.12 and 4.0.14
Issue #4 - Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Column Formula
An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the formula parameter.
Exploitation of the vulnerability is possible on behalf of an authorized user who has the following privileges:
- Access to DataSet Feature
Versions affected: 2.1.0 and later. Fixed in 3.3.12 and 4.0.14
More
Read more from the blog
Service Desk Availability - 15th November 2024
Our Service Desk will be running at a reduced capacity on Friday 15th November 2024 to allow us to conduct whole-team training. Tickets can still be logged as normal.
More
Read more from the blog
Service Desk Availability - 15th November 2024
Our Service Desk will be running at a reduced capacity on Friday 15th November 2024 to allow us to conduct whole-team training. Tickets can still be logged as normal.
