Xibo CMS Server-Side Request Forgery Vulnerability Allowing Arbitrary HTTP Requests

A server-side request forgery (SSRF) vulnerability has been identified in Xibo CMS versions prior to 4.4.1. This vulnerability allows authenticated users with DataSet permissions to make arbitrary HTTP requests from the CMS server to internal or external network resources. Exploitation could lead to scanning internal infrastructure, accessing local cloud metadata endpoints (such as AWS IMDS), interacting with unauthenticated internal services, or exfiltrating data. The vulnerability requires an authorized user to have specific privileges that are not typically granted to non-admins.

Impact

Exploitation allows for arbitrary HTTP requests to be made from the CMS server, potentially leading to unauthorized access or manipulation of internal services and data.

Remediation

Users should upgrade to Xibo CMS version 4.4.1, which addresses this vulnerability. For those unable to upgrade, it is recommended to revoke DataSet permissions from untrusted users.