Information disclosure in Xibosignage Xibo-cms
CVE-2024-29023
Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. Session tokens are exposed in the return of session search API call on the sessions page. Subsequently they can be ex…
Vulnerability class: Information Disclosure
EPSS: 0.001 (28.7th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Xibosignage Xibo-cms — versions >= 1.8.0, < 3.3.10, >= 4.0.0, < 4.0.9
Weakness classification (CWE)
Public proof-of-concept exploits
References
- https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-xmc6-cfq5-hg39 (x_refsource_CONFIRM)
- https://github.com/dasgarner/xibo-cms/commit/a81044e6ccdd92cc967e34c125bd8162432e51bc.diff (x_refsource_MISC)
- https://github.com/xibosignage/xibo-cms/commit/3b93636aa7aea07d1f7dfa36b63b773ac16d7cde (x_refsource_MISC)
- https://github.com/xibosignage/xibo-cms/commit/49f018fd9fe64fcd417d7c2ef96078bd7b2b88b7 (x_refsource_MISC)
- https://github.com/xibosignage/xibo-cms/commit/ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff (x_refsource_MISC)
- https://xibosignage.com/blog/security-advisory-2024-04 (x_refsource_MISC)
Frequently asked questions
- What is CVE-2024-29023?
- CVE-2024-29023 is a high-severity vulnerability in Xibosignage Xibo-cms, classified under Information Disclosure. CVSS score: 7.2/10. Published 2024-04-12.
- How severe is CVE-2024-29023?
- High severity. CVSS v3 base score is 7.2 out of 10.
- Is CVE-2024-29023 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.