We are now self-hosting the Xibo CMS server (Docker version 3.3.12), the OS version is Ubuntu 20.04.6 and the Docker version is 27.3.1, build ce12230. The CMS is located behind the HAPROXY reverse proxy, it is also protected by the Letsencrypt SSL cert.
Our client just completed the web application vulnerability scanning, please find the attached scanning reports.
As we can see, the report shows 1 high-security risk and 5 medium-security risks.
For the high-security risk: 152036 Apache HTTP Server Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-40898), as a workaround, can we just upgrade the Apache server to 2.4.62?
Furthermore, any recommendations for the medium-security risks?
Your support is highly appreciated and looking forward to your reply.
Best Regards,
Jason
Version 3 is not actively developed anymore, so I’d recommend being on the latest v4 release of the CMS - currently v4.1.2.
The v3 CMS container is built on Alpine 3.15, and the latest package for Apache on that version is 2.4.58 so you can’t upgrade Apache directly using Alpine’s package manager. CVE-2024-40998 which is the Apache vulnerability they mention appears to only affect Apache on Windows, so doesn’t apply here.
CSRF - all forms in Xibo that make any modification to data stored in the system are CSRF protected. We don’t CSFR protect things like changes to sort order on filter forms, and so these are false positives.
Cookie “secure” is a configuration issue on your side. You need to correctly setup your container and reverse proxy to handle TLS and the setting of the appropriate Apache settings for that. Adding CMS_PHP_COOKIE_SECURE=On to your config.env and recreating the container, in conjunction with having a correctly configured reverse proxy to terminate TLS and pass the correct X-Forwarded headers through to the CMS will resolve that.
Our client security team requests the remediation plan for the 151002 vulnerable JavaScript Library Detect Bootstrap (CWE-937).
They suggest upgrading the Bootstrap version to 4.5.3 or above to remediate security vulnerabilities. How can I check the Bootstrap version of CMS v4.1.2?
Thanks for your recommendations. We have completed the reverse proxy configuration to fix the “set-cookie: secure” issues.
If the Bootstrap version of XIBO CMS v4.1.2 is 4.5.3 or above, the CMS v4 upgrade will be the best solution now.
We cannot find bootstrap.css in the Xibo CMS v4 container via docker exec -it [xibo-v4-web] bash, so can we conclude that the 151002 vulnerable JavaScript Library Detect Bootstrap (CWE-937) will not an issue to the Xibo CMS v4’, right?
Please kindly advise on this matter.
Thanks and Best Regards,
Xibo v4.1 uses bootstrap 4.6.2. There is a known vulnerability in the html-carousel plugin which may come up in your scan. Xibo is not vulnerable to that since we don’t allow users to create custom html carousels. Xibo v5 will move to bootstrap 5.