Impact
An SQL injection vulnerability was discovered in the /display/map API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the bounds parameter.
Patches
Users should upgrade to version 3.3.5 which fixes this issue.
Workarounds
Upgrading to a fixed version is necessary to remediate.
References
Xibo Signage Security Advisory
Claroty Team82 Disclosure
Credit
Thanks to Noam Moshe of Claroty Research who discovered this issue.
Impact
An SQL injection vulnerability was discovered in the
/display/mapAPI route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to theboundsparameter.Patches
Users should upgrade to version 3.3.5 which fixes this issue.
Workarounds
Upgrading to a fixed version is necessary to remediate.
References
Xibo Signage Security Advisory
Claroty Team82 Disclosure
Credit
Thanks to Noam Moshe of Claroty Research who discovered this issue.