Gibbon
by Gibbon
Source repositories
CVEs (17)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-45878 | Cri | 0.69 | 9.8 | 0.63 | Nov 14, 2023 | GibbonEdu Gibbon version 25.0.1 and before allows Arbitrary File Write because rubrics_visualise_saveAjax.phps does not require authentication. The endpoint accepts the img, path, and gibbonPersonID parameters. The img parameter is expected to be a base64 encoded image. If the… | ||
| CVE-2023-34598 | Cri | 0.67 | 9.8 | 0.47 | Jun 29, 2023 | Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) where it's possible to include the content of several files present in the installation folder in the server's response. | ||
| CVE-2026-8208 | Hig | 0.58 | — | 0.00 | May 9, 2026 | Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation… | ||
| CVE-2022-27305 | Hig | 0.57 | 8.8 | 0.01 | May 25, 2022 | Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation. | ||
| CVE-2022-27311 | Cri | 0.57 | 9.8 | 0.01 | Apr 25, 2022 | Gibbon v3.4.4 and below allows attackers to execute a Server-Side Request Forgery (SSRF) via a crafted URL. | ||
| CVE-2023-45880 | Hig | 0.47 | 7.2 | 0.01 | Nov 14, 2023 | GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname (and extension). This allows creation of PHP files outside… | ||
| CVE-2026-8209 | Med | 0.45 | — | 0.00 | May 9, 2026 | Gibbon versions before v30.0.01 are affected by a path traversal vulnerability resulting in DOS by attempting extraction of web application PHP files, failed .zip extraction results in deletion of the file and a DOS condition. Successful exploitation requires Teacher or higher… | ||
| CVE-2023-45881 | Med | 0.40 | 6.1 | 0.01 | Nov 14, 2023 | GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resources_addQuick_ajaxProcess.php file upload with resultant XSS. The imageAsLinks parameter must be set to Y to return HTML code. The filename attribute of the bodyfile1 parameter is reflected in the response. | ||
| CVE-2023-34599 | Med | 0.40 | 6.1 | 0.02 | Jun 29, 2023 | Multiple Cross-Site Scripting (XSS) vulnerabilities have been identified in Gibbon v25.0.0, which enable attackers to execute arbitrary Javascript code. | ||
| CVE-2021-40492 | Med | 0.40 | 6.1 | 0.02 | Sep 3, 2021 | A reflected XSS vulnerability exists in multiple pages in version 22 of the Gibbon application that allows for arbitrary execution of JavaScript (gibbonCourseClassID, gibbonPersonID, subpage, currentDate, or allStudents to index.php). | ||
| CVE-2023-45879 | Med | 0.35 | 5.4 | 0.00 | Nov 14, 2023 | GibbonEdu Gibbon version 25.0.0 allows HTML Injection via an IFRAME element to the Messager component. | ||
| CVE-2021-40214 | Med | 0.35 | 5.4 | 0.01 | Sep 13, 2021 | Gibbon v22.0.00 suffers from a stored XSS vulnerability within the wall messages component. | ||
| CVE-2024-24725 | 0.09 | — | 0.51 | Mar 23, 2024 | Gibbon through 26.0.00 allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the modules/System%20Admin/import_run.php&type=externalAssessment&step=4 URI. | |||
| CVE-2024-24724 | 0.07 | — | 0.26 | Apr 3, 2024 | Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine (messengerSettings.php) without sanitization. | |||
| CVE-2025-26211 | 0.00 | — | 0.00 | May 27, 2025 | Gibbon before 29.0.00 allows CSRF. | |||
| CVE-2024-51337 | 0.00 | — | 0.01 | Nov 21, 2024 | Cross Site Scripting vulnerability in Gibbon before v.27.0.01 and fixed in v.28.0.00 allows a remote attacker to obtain sensitive information via the email parameter found in /Gibbon/modules/User Admin/user_manage_editProcess.php. | |||
| CVE-2024-34831 | 0.00 | — | 0.01 | Sep 10, 2024 | cross-site scripting (XSS) vulnerability in Gibbon Core v26.0.00 allows an attacker to execute arbitrary code via the imageLink parameter in the library_manage_catalog_editProcess.php component. |
- risk 0.69cvss 9.8epss 0.63
GibbonEdu Gibbon version 25.0.1 and before allows Arbitrary File Write because rubrics_visualise_saveAjax.phps does not require authentication. The endpoint accepts the img, path, and gibbonPersonID parameters. The img parameter is expected to be a base64 encoded image. If the…
- risk 0.67cvss 9.8epss 0.47
Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) where it's possible to include the content of several files present in the installation folder in the server's response.
- risk 0.58cvss —epss 0.00
Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation…
- risk 0.57cvss 8.8epss 0.01
Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation.
- risk 0.57cvss 9.8epss 0.01
Gibbon v3.4.4 and below allows attackers to execute a Server-Side Request Forgery (SSRF) via a crafted URL.
- risk 0.47cvss 7.2epss 0.01
GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname (and extension). This allows creation of PHP files outside…
- risk 0.45cvss —epss 0.00
Gibbon versions before v30.0.01 are affected by a path traversal vulnerability resulting in DOS by attempting extraction of web application PHP files, failed .zip extraction results in deletion of the file and a DOS condition. Successful exploitation requires Teacher or higher…
- risk 0.40cvss 6.1epss 0.01
GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resources_addQuick_ajaxProcess.php file upload with resultant XSS. The imageAsLinks parameter must be set to Y to return HTML code. The filename attribute of the bodyfile1 parameter is reflected in the response.
- risk 0.40cvss 6.1epss 0.02
Multiple Cross-Site Scripting (XSS) vulnerabilities have been identified in Gibbon v25.0.0, which enable attackers to execute arbitrary Javascript code.
- risk 0.40cvss 6.1epss 0.02
A reflected XSS vulnerability exists in multiple pages in version 22 of the Gibbon application that allows for arbitrary execution of JavaScript (gibbonCourseClassID, gibbonPersonID, subpage, currentDate, or allStudents to index.php).
- risk 0.35cvss 5.4epss 0.00
GibbonEdu Gibbon version 25.0.0 allows HTML Injection via an IFRAME element to the Messager component.
- risk 0.35cvss 5.4epss 0.01
Gibbon v22.0.00 suffers from a stored XSS vulnerability within the wall messages component.
- CVE-2024-24725Mar 23, 2024risk 0.09cvss —epss 0.51
Gibbon through 26.0.00 allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the modules/System%20Admin/import_run.php&type=externalAssessment&step=4 URI.
- CVE-2024-24724Apr 3, 2024risk 0.07cvss —epss 0.26
Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine (messengerSettings.php) without sanitization.
- CVE-2025-26211May 27, 2025risk 0.00cvss —epss 0.00
Gibbon before 29.0.00 allows CSRF.
- CVE-2024-51337Nov 21, 2024risk 0.00cvss —epss 0.01
Cross Site Scripting vulnerability in Gibbon before v.27.0.01 and fixed in v.28.0.00 allows a remote attacker to obtain sensitive information via the email parameter found in /Gibbon/modules/User Admin/user_manage_editProcess.php.
- CVE-2024-34831Sep 10, 2024risk 0.00cvss —epss 0.01
cross-site scripting (XSS) vulnerability in Gibbon Core v26.0.00 allows an attacker to execute arbitrary code via the imageLink parameter in the library_manage_catalog_editProcess.php component.