VYPR

Gibbon

by Gibbon

gem: gibbon

Source repositories

CVEs (17)

  • CVE-2023-45878CriNov 14, 2023
    risk 0.69cvss 9.8epss 0.63

    GibbonEdu Gibbon version 25.0.1 and before allows Arbitrary File Write because rubrics_visualise_saveAjax.phps does not require authentication. The endpoint accepts the img, path, and gibbonPersonID parameters. The img parameter is expected to be a base64 encoded image. If the…

  • CVE-2023-34598CriJun 29, 2023
    risk 0.67cvss 9.8epss 0.47

    Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) where it's possible to include the content of several files present in the installation folder in the server's response.

  • CVE-2026-8208HigMay 9, 2026
    risk 0.58cvss epss 0.00

    Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation…

  • CVE-2022-27305HigMay 25, 2022
    risk 0.57cvss 8.8epss 0.01

    Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation.

  • CVE-2022-27311CriApr 25, 2022
    risk 0.57cvss 9.8epss 0.01

    Gibbon v3.4.4 and below allows attackers to execute a Server-Side Request Forgery (SSRF) via a crafted URL.

  • CVE-2023-45880HigNov 14, 2023
    risk 0.47cvss 7.2epss 0.01

    GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname (and extension). This allows creation of PHP files outside…

  • CVE-2026-8209MedMay 9, 2026
    risk 0.45cvss epss 0.00

    Gibbon versions before v30.0.01 are affected by a path traversal vulnerability resulting in DOS by attempting extraction of web application PHP files, failed .zip extraction results in deletion of the file and a DOS condition. Successful exploitation requires Teacher or higher…

  • CVE-2023-45881MedNov 14, 2023
    risk 0.40cvss 6.1epss 0.01

    GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resources_addQuick_ajaxProcess.php file upload with resultant XSS. The imageAsLinks parameter must be set to Y to return HTML code. The filename attribute of the bodyfile1 parameter is reflected in the response.

  • CVE-2023-34599MedJun 29, 2023
    risk 0.40cvss 6.1epss 0.02

    Multiple Cross-Site Scripting (XSS) vulnerabilities have been identified in Gibbon v25.0.0, which enable attackers to execute arbitrary Javascript code.

  • CVE-2021-40492MedSep 3, 2021
    risk 0.40cvss 6.1epss 0.02

    A reflected XSS vulnerability exists in multiple pages in version 22 of the Gibbon application that allows for arbitrary execution of JavaScript (gibbonCourseClassID, gibbonPersonID, subpage, currentDate, or allStudents to index.php).

  • CVE-2023-45879MedNov 14, 2023
    risk 0.35cvss 5.4epss 0.00

    GibbonEdu Gibbon version 25.0.0 allows HTML Injection via an IFRAME element to the Messager component.

  • CVE-2021-40214MedSep 13, 2021
    risk 0.35cvss 5.4epss 0.01

    Gibbon v22.0.00 suffers from a stored XSS vulnerability within the wall messages component.

  • CVE-2024-24725Mar 23, 2024
    risk 0.09cvss epss 0.51

    Gibbon through 26.0.00 allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the modules/System%20Admin/import_run.php&type=externalAssessment&step=4 URI.

  • CVE-2024-24724Apr 3, 2024
    risk 0.07cvss epss 0.26

    Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine (messengerSettings.php) without sanitization.

  • CVE-2025-26211May 27, 2025
    risk 0.00cvss epss 0.00

    Gibbon before 29.0.00 allows CSRF.

  • CVE-2024-51337Nov 21, 2024
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability in Gibbon before v.27.0.01 and fixed in v.28.0.00 allows a remote attacker to obtain sensitive information via the email parameter found in /Gibbon/modules/User Admin/user_manage_editProcess.php.

  • CVE-2024-34831Sep 10, 2024
    risk 0.00cvss epss 0.01

    cross-site scripting (XSS) vulnerability in Gibbon Core v26.0.00 allows an attacker to execute arbitrary code via the imageLink parameter in the library_manage_catalog_editProcess.php component.