Headline
CVE-2023-33179: Sensitive Information Disclosure abusing SQL Injection in Xibo CMS nameFilter
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.5 in the nameFilter function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators. Users should upgrade to version 3.3.5 which fixes this issue. There are no known workarounds aside from upgrading.
Impact
An SQL injection vulnerability was discovered in the nameFilter function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators.
Patches
Users should upgrade to version 3.3.5 which fixes this issue.
Workarounds
Upgrading to a fixed version is necessary to remediate.
References
Xibo Signage Security Advisory
Claroty Team82 Disclosure
Credit
Thanks to Noam Moshe of Claroty Research who discovered this issue.