VYPR
Vendor

Gibbon

Products
3
CVEs
20
Across products
22
Status
Private

Products

3

Recent CVEs

20
  • CVE-2023-45878CriNov 14, 2023
    risk 0.69cvss 9.8epss 0.63

    GibbonEdu Gibbon version 25.0.1 and before allows Arbitrary File Write because rubrics_visualise_saveAjax.phps does not require authentication. The endpoint accepts the img, path, and gibbonPersonID parameters. The img parameter is expected to be a base64 encoded image. If the…

  • CVE-2023-34598CriJun 29, 2023
    risk 0.67cvss 9.8epss 0.47

    Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) where it's possible to include the content of several files present in the installation folder in the server's response.

  • CVE-2026-8208HigMay 9, 2026
    risk 0.58cvss epss 0.00

    Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation…

  • CVE-2022-27305HigMay 25, 2022
    risk 0.57cvss 8.8epss 0.01

    Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation.

  • CVE-2022-27311CriApr 25, 2022
    risk 0.57cvss 9.8epss 0.01

    Gibbon v3.4.4 and below allows attackers to execute a Server-Side Request Forgery (SSRF) via a crafted URL.

  • CVE-2023-45880HigNov 14, 2023
    risk 0.47cvss 7.2epss 0.01

    GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname (and extension). This allows creation of PHP files outside…

  • CVE-2026-8207HigMay 9, 2026
    risk 0.46cvss epss 0.00

    Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.php#L145 feature. Successful exploitation…

  • CVE-2026-8209MedMay 9, 2026
    risk 0.45cvss epss 0.00

    Gibbon versions before v30.0.01 are affected by a path traversal vulnerability resulting in DOS by attempting extraction of web application PHP files, failed .zip extraction results in deletion of the file and a DOS condition. Successful exploitation requires Teacher or higher…

  • CVE-2023-45881MedNov 14, 2023
    risk 0.40cvss 6.1epss 0.01

    GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resources_addQuick_ajaxProcess.php file upload with resultant XSS. The imageAsLinks parameter must be set to Y to return HTML code. The filename attribute of the bodyfile1 parameter is reflected in the response.

  • CVE-2023-34599MedJun 29, 2023
    risk 0.40cvss 6.1epss 0.02

    Multiple Cross-Site Scripting (XSS) vulnerabilities have been identified in Gibbon v25.0.0, which enable attackers to execute arbitrary Javascript code.

  • CVE-2021-40492MedSep 3, 2021
    risk 0.40cvss 6.1epss 0.02

    A reflected XSS vulnerability exists in multiple pages in version 22 of the Gibbon application that allows for arbitrary execution of JavaScript (gibbonCourseClassID, gibbonPersonID, subpage, currentDate, or allStudents to index.php).

  • CVE-2023-45879MedNov 14, 2023
    risk 0.35cvss 5.4epss 0.00

    GibbonEdu Gibbon version 25.0.0 allows HTML Injection via an IFRAME element to the Messager component.

  • CVE-2022-23871MedFeb 3, 2022
    risk 0.35cvss 5.4epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in the component outcomes_addProcess.php of Gibbon CMS v22.0.01 allow attackers to execute arbitrary web scripts or HTML via a crafted payload insterted into the name, category, description parameters.

  • CVE-2021-40214MedSep 13, 2021
    risk 0.35cvss 5.4epss 0.01

    Gibbon v22.0.00 suffers from a stored XSS vulnerability within the wall messages component.

  • CVE-2022-22868MedJan 28, 2022
    risk 0.31cvss 4.8epss 0.01

    Gibbon CMS v22.0.01 was discovered to contain a cross-site scripting (XSS) vulnerability, that allows attackers to inject arbitrary script via name parameters.

  • CVE-2024-24725Mar 23, 2024
    risk 0.09cvss epss 0.51

    Gibbon through 26.0.00 allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the modules/System%20Admin/import_run.php&type=externalAssessment&step=4 URI.

  • CVE-2024-24724Apr 3, 2024
    risk 0.07cvss epss 0.26

    Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine (messengerSettings.php) without sanitization.

  • CVE-2025-26211May 27, 2025
    risk 0.00cvss epss 0.00

    Gibbon before 29.0.00 allows CSRF.

  • CVE-2024-51337Nov 21, 2024
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability in Gibbon before v.27.0.01 and fixed in v.28.0.00 allows a remote attacker to obtain sensitive information via the email parameter found in /Gibbon/modules/User Admin/user_manage_editProcess.php.

  • CVE-2024-34831Sep 10, 2024
    risk 0.00cvss epss 0.01

    cross-site scripting (XSS) vulnerability in Gibbon Core v26.0.00 allows an attacker to execute arbitrary code via the imageLink parameter in the library_manage_catalog_editProcess.php component.