Cyber Resilience

CVE-2023-33177

High

Published: 30 May 2023

Published
30 May 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0675 91.5th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-33177 is a high-severity Path Traversal (CWE-22) vulnerability in Xibosignage Xibo. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Xibo CMS contains a path traversal vulnerability in its layout import function. An authenticated user can upload a specially crafted zip archive that writes arbitrary files outside the designated library directory, executing as the webserver user. The flaw is tracked as CWE-22 and carries a CVSS 3.1 score of 8.8.

An attacker with a valid CMS account can leverage the issue to place a PHP webshell inside the web root, resulting in remote code execution under the webserver account. The attack requires only network access to the import endpoint and no user interaction beyond authentication.

The project addressed the flaw in versions 2.3.17 and 3.3.5; hosted Xibo Signage customers received automatic remediation. Public references include the GitHub security advisory and the corresponding commits that added path validation to the import routine. EPSS rose from a low baseline to a peak of 0.3433 before receding to the current value of 0.0675, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

Xibo is a content management system (CMS). A path traversal vulnerability exists in the Xibo CMS whereby a specially crafted zip file can be uploaded to the CMS via the layout import function by an authenticated user which would allow…

more

creation of files outside of the CMS library directory as the webserver user. This can be used to upload a PHP webshell inside the web root directory and achieve remote code execution as the webserver user. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. Customers who host their CMS with Xibo Signage have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xibosignage
xibo
1.8.0 — 2.3.17 · 3.0.0 — 3.3.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References