Impact
An SQL injection vulnerability was discovered in the nameFilter function used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators.
Patches
Users should upgrade to version 3.3.5 which fixes this issue.
Workarounds
Upgrading to a fixed version is necessary to remediate.
References
Xibo Signage Security Advisory
Claroty Team82 Disclosure
Credit
Thanks to Noam Moshe of Claroty Research who discovered this issue.
Impact
An SQL injection vulnerability was discovered in the
nameFilterfunction used throughout the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values for logical operators.Patches
Users should upgrade to version 3.3.5 which fixes this issue.
Workarounds
Upgrading to a fixed version is necessary to remediate.
References
Xibo Signage Security Advisory
Claroty Team82 Disclosure
Credit
Thanks to Noam Moshe of Claroty Research who discovered this issue.