Xibo CMS Server-Side Request Forgery Vulnerability in Library Upload Functionality

A server-side request forgery (SSRF) vulnerability has been identified in Xibo CMS versions through 4.4.0. This vulnerability allows authenticated users with Library upload permissions to make arbitrary HTTP requests from the CMS server to internal or external network resources. Exploitation could lead to scanning internal infrastructure, accessing local cloud metadata endpoints (such as AWS IMDS), interacting with unauthenticated internal services, or exfiltrating data.

Impact

Exploitation of this vulnerability could allow for unauthorized HTTP requests to be made from the CMS server, potentially leading to unauthorized access or manipulation of internal resources, data exfiltration, or interaction with internal services that lack authentication.

Remediation

Users should upgrade to Xibo CMS version 4.4.1 or later, which addresses this vulnerability. For users unable to upgrade, it is recommended to revoke Library upload privileges from untrusted users.