CVE-2024-43413

Sept. 3, 2024, 7:40 p.m.

Awaiting Analysis
CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

Products

Xibo CMS

  • before 4.1.0

Source

security-advisories@github.com

Tags

CVE-2024-43413 details

Published : Sept. 3, 2024, 7:15 p.m.
Last Modified : Sept. 3, 2024, 7:40 p.m.

Description

Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute JavaScript via the DataSet functionality. Users can design a DataSet with a HTML column which contains JavaScript, which is intended functionality. The JavaScript gets executed on the Data Entry page and in any Layouts which reference it. This behavior has been changed in 4.1.0 to show HTML/CSS/JS as code on the Data Entry page. There are no workarounds for this issue.

CVSS Score

1 2 3.5 4 5 6 7 8 9 10

Weakness

Weakness Name Description
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

Base Score

3.5

Exploitability Score

0.9

Impact Score

2.5

Base Severity

LOW

This website uses the NVD API, but is not approved or certified by it.