Security Advisory - 4 issues affecting the CMS

We recommend everyone upgrade to 3.3.12 or 4.0.14 or latest release as soon as possible. All affected CMS instances on our Cloud platform have been fully patched. For further information on each advisory please see the CVE link below.

Thanks to Sergey Bobrov (Kaspersky, https://kaspersky.com/) for responsibly disclosing these vulnerabilities and allowing us time to release 3.3.12/4.0.14.

Disclosure Timeline

11th July 18:00 - First advisory submitted
11th July 20:00 - Xibo acknowledged and provided patches for the issue. Xibo confirmed the issue does not effect Xibo Cloud Hosting.
12th July 09:00 to 11:00 - Draft security advisories were submitted
12th July 18:00 - 2 of the 3 issues acknowledged and recreated by Xibo, patches produced and applied to Xibo Cloud Hosting
15th July 08:30 - Remaining issue recreated by Xibo and patches applied to Xibo Cloud Hosting
15th July 14:08 - 3.3.12 released
15th July 14:24 - 4.0.14 released
30th July - Public disclosure

Issue #1 - Sensitive Information Disclosure abusing SQL Injection in Xibo CMS proof of play report

An SQL injection vulnerability was discovered in the report/data/proofofplayReport API route inside the CMS. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the sortBy parameter.

Exploitation of the vulnerability is possible on behalf of an authorized user who has the following privileges:
- Access to Reporting feature
- View access to arbitrary display

This is only possible for CMS instances configured to use MySQL as their time series store, which is the default configuration.

Versions affected: 2.1.0 and later. Fixed in 3.3.12 and 4.0.14

CVE-2024-41944

Issue #2 - Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Data Import

An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the APIs for importing JSON and importing a Layout containing DataSet data.

Exploitation of the vulnerability is possible on behalf of an authorized user who has either of the following privileges:
- Access to DataSet Feature
- Access to the Layout Feature

Versions affected: 1.8.0 and later. Fixed in 3.3.12 and 4.0.14

CVE-2024-41802

Issue #3 - Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Filter

An SQL injection vulnerability was discovered in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to obtain arbitrary data from the Xibo database by injecting specially crafted values in to the API for viewing DataSet data.

Exploitation of the vulnerability is possible on behalf of an authorized user who has the following privileges:
- Access to DataSet Feature

Versions affected: 2.1.0 and later. Fixed in 3.3.12 and 4.0.14

CVE-2024-41803

Issue #4 - Sensitive Information Disclosure abusing SQL Injection in Xibo CMS DataSet Column Formula

An SQL injection vulnerability was discovered in the API route inside the CMS responsible for Adding/Editing DataSet Column Formulas. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially crafted values in to the formula parameter.

Exploitation of the vulnerability is possible on behalf of an authorized user who has the following privileges:
- Access to DataSet Feature

Versions affected: 2.1.0 and later. Fixed in 3.3.12 and 4.0.14

CVE-2024-41804