Multiple vulnerabilities in Xibo CMS
Posted date 10/10/2025
Identificador
INCIBE-2025-0554
Importance
3 - Medium
Affected Resources
- Xibo CMS, versions prior to 4.2.2.
Description
INCIBE has coordinated the publication of two medium-severity vulnerabilities affecting Xibo CMS from Xibo Signage, a content management system. The vulnerabilities were discovered by Marina Fabregat Expósito.
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- CVE-2025-41088: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
- CVE-2025-41089: CVSS v4.0: 4.8 | CVSS AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution
The vulnerabilities have been fixed by the Xibo Signage team in version 4.2.2.
Detail
- CVE-2025-41088: stored Cross-Site Scripting (XSS) in Xibo Signage's Xibo CMS v4.1.2, due to a lack of proper validation of user input. To exploit the vulnerability, the attacker must create a template in the 'Templates' section, then add a text element in the 'Global Elements' section, and finally modify the 'Text' field in the section with the malicious payload.
- CVE-2025-41089: reflected Cross-Site Scripting (XSS) in Xibo CMS v4.1.2 from Xibo Signage, due to a lack of proper validation of user input. To exploit the vulnerability, the attacker must create a template in the 'Templates' section, then add an element that has the 'Configuration Name' field, such as the 'Clock' widget. Next, modify the 'Configuration Name' field in the left-hand section.
Note: the vendor points out that the layout editor tool, and other content tools in the CMS, are designed to allow entry and execution of JavaScript and so they view this result as expected.
CVE
Explotación
No
Nuevo Fabricante
Xibo Signage
Identificador CVE
CVE-2025-41088
Severidad
Media
Explotación
No
Nuevo Fabricante
Xibo Signage
Identificador CVE
CVE-2025-41089
Severidad
Media
References list
