VYPR

Xibocms

by Xibosignage

Source repositories

CVEs (7)

  • CVE-2024-29022HigApr 12, 2024
    risk 0.50cvss 8.8epss 0.01

    Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. In affected versions some request headers are not correctly sanitised when stored in the session and display tables. These headers can be used to inject a…

  • CVE-2024-29023HigApr 12, 2024
    risk 0.40cvss 7.2epss 0.01

    Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. Session tokens are exposed in the return of session search API call on the sessions page. Subsequently they can be exfiltrated and used to hijack a session.…

  • CVE-2024-41944MedJul 30, 2024
    risk 0.35cvss 6.5epss 0.00

    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `report/data/proofofplayReport` API route inside the CMS. This allows an authenticated user to to obtain and modify arbitrary data from the Xibo database by injecting specially…

  • CVE-2025-41089MedOct 10, 2025
    risk 0.31cvss epss 0.00

    Reflected Cross-Site Scripting (XSS) in Xibo CMS v4.1.2 from Xibo Signage, due to a lack of proper validation of user input. To exploit the vulnerability, the attacker must create a template in the 'Templates' section, then add an element that has the 'Configuration Name' field,…

  • CVE-2023-33181May 30, 2023
    risk 0.00cvss epss 0.01

    Xibo is a content management system (CMS). Starting in version 3.0.0 and prior to version 3.3.5, some API routes will print a stack trace when called with missing or invalid parameters revealing sensitive information about the locations of paths that the server is using. Users…

  • CVE-2023-33180May 30, 2023
    risk 0.00cvss epss 0.01

    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.2 in the `/display/map` API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting…

  • CVE-2023-33178May 30, 2023
    risk 0.00cvss epss 0.01

    Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `/dataset/data/{id}` API route inside the CMS starting in version 1.4.0 and prior to versions 2.3.17 and 3.3.5. This allows an authenticated user to exfiltrate data from the Xibo…