Home > Vulnerability Database > CVE-2024-43413

Mend.io Vulnerability Database

CVE-2024-43413

Date: September 3, 2024

Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute JavaScript via the DataSet functionality. Users can design a DataSet with a HTML column which contains JavaScript, which is intended functionality. The JavaScript gets executed on the Data Entry page and in any Layouts which reference it. This behavior has been changed in 4.1.0 to show HTML/CSS/JS as code on the Data Entry page. There are no workarounds for this issue.

Language: PHP

Severity Score

3.5

Related Resources (4)

Url: https://github.com/xibosignage/xibo-cms/commit/009527855d8bfd0ffb95f5c88ed72b7b5bdebfa1

Url: https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-pfxp-vxh7-2h9f

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-43413

Url: https://www.mend.io/vulnerability-database/CVE-2024-43413

Severity Score

3.5

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

CVSS v3.1

Base Score:	3.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-43413

Date: September 3, 2024

Language: PHP

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?