CVE-2024-43413 LOW

CVE-2024-43413: Xibo CMS XSS vulnerability using DataSet HTML columns

Vendor Xibosignage
Product xibo-cms
Weakness CWE-79 · XSS
Published September 3, 2024
Last update September 3, 2024
View on NVD All CVEs

CVSS base score

3.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Xibo is an open source digital signage platform with a web content management system (CMS). Prior to version 4.1.0, a cross-site scripting vulnerability in Xibo CMS allows authorized users to execute JavaScript via the DataSet functionality. Users can design a DataSet with a HTML column which contains JavaScript, which is intended functionality. The JavaScript gets executed on the Data Entry page and in any Layouts which reference it. This behavior has been changed in 4.1.0 to show HTML/CSS/JS as code on the Data Entry page. There are no workarounds for this issue.

Key dates

02Disclosure timeline

September 3, 2024 CVE published
September 3, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-46905 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2023-4021 Modern Events Calendar lite < 7.1.0 - Authenticated (Admin+) Stored Cross-Site Scripting CVE-2021-22510 CVE-2025-35029 Medical Informatics Engineering Enterprise Health stored cross site scripting via Demographic Information page CVE-2024-2925 Beaver Builder – WordPress Page Builder <= 2.8.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button