CVE-2025-41088

Vulnerability

Overview CVE-2025-41088 is a stored Cross-Site Scripting (XSS) vulnerability in Xibo CMS v4.1.2, caused by insufficient validation of user-supplied input. An attacker with template creation privileges can inject arbitrary JavaScript by crafting a malicious payload into the 'Text' field of a text element within a template [1].

Exploitation

Conditions To exploit, the attacker must first create a template in the 'Templates' section, then add a text element in the 'Global Elements' section, and modify the 'Text' field with the malicious script. The vulnerability requires the attacker to have at least low-privilege access (PR:L) and user interaction (UI:P) from the victim [1].

Impact

Successful exploitation leads to stored XSS, where the malicious code executes in the context of any user viewing the affected content. This can result in data theft, session hijacking, or other client-side attacks. The CVSS v4.0 base score is 5.1 (Medium), indicating limited impact on confidentiality and integrity but potential for lateral movement within the application [1].

Mitigation

Xibo Signage has addressed this vulnerability in version 4.2.2. Users are advised to upgrade to the latest version to eliminate the risk. No workarounds are documented [1].