3 security advisory have been resolved in recent releases.
We recommend everyone using Xibo CMS v4 upgrade to Xibo 4.3.1 or the latest release as soon as possible.
Issue 1 - RCE
A remote code execution vulnerability (RCE) was discovered in the Module Templating functionality inside the CMS Developer menu. This allows an authenticated user to manipulate Twig filters and run specific functions server side as the user the web server runs under, which is normally a limited user account.
Exploitation of the vulnerability is possible on behalf of an authorized user who has the “System → Add/Edit custom modules and templates” feature enabled, which by default is only enabled for the super admin user.
When Xibo CMS is deployed in the recommended configuration, it is containerised and this exploit does not escape the container.
For further details please see the security advisory:
Issue 2 & 3 - XSS
The following vulnerabilities were reported via a 3rd party and have been solved since Xibo CMS 4.2.2:
A big thank you to everyone involved in finding and resolving these vulnerabilities. Responsible disclosure of vulnerabilities is vital and the team at Xibo make all vulnerabilities our top priority. See our security policy for more information.
Thanks,
Dan