Xibo CMS SQL Injection Vulnerability in DataSet API Routes

A SQL injection vulnerability has been identified in Xibo CMS versions 1.7 through 4.4.0. The issue resides in the API routes responsible for filtering DataSets, allowing authenticated users with certain privileges to inject malicious values into the API filter parameter. This exploitation could lead to unauthorized access and modification of data within the Xibo database.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling an authenticated user to manipulate database queries and potentially access or modify sensitive data.

Reproduction

To reproduce this vulnerability, an authenticated user with either the 'Access to DataSet Feature' or 'Access to the Layout Feature' privilege can send a request to the API routes that filter DataSets. By injecting specially crafted values into the filter parameter, the user can exploit the SQL injection vulnerability.

Remediation

Users should upgrade to Xibo CMS version 4.4.1, which addresses this vulnerability. Patches are also available for earlier, unsupported versions 3.3, 2.3, and 1.8.