Xibo is an Open Source Digital Signage platform with a web content management system and Windows display player software. In affected versions some request headers are not correctly sanitised when stored in the session and display tables. These headers can be used to inject a malicious script into the session page to exfiltrate session IDs and User Agents. These session IDs / User Agents can subsequently be used to hijack active sessions. A malicious script can be injected into the display grid to exfiltrate information related to displays. Users should upgrade to version 3.3.10 or 4.0.9 which fix this issue. Customers who host their CMS with the Xibo Signage service have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running. Upgrading to a fixed version is necessary to remediate. Patches are available for earlier versions of Xibo CMS that are out of security support: 2.3 patch ebeccd000b51f00b9a25f56a2f252d6812ebf850.diff. 1.8 patch a81044e6ccdd92cc967e34c125bd8162432e51bc.diff. There are no known workarounds for this issue.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-04-12T21:04:23.813Z

Updated: 2024-08-02T01:03:51.421Z

Reserved: 2024-03-14T16:59:47.611Z

Link: CVE-2024-29022

cve-icon Vulnrichment

Updated: 2024-08-02T01:03:51.421Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-04-12T21:15:11.213

Modified: 2024-11-21T09:07:23.490

Link: CVE-2024-29022

cve-icon Redhat

No data.