{"id":"CVE-2023-33180","summary":"Sensitive Information Disclosure abusing SQL Injection in Xibo CMS display map","details":"Xibo is a content management system (CMS). An SQL injection vulnerability was discovered starting in version 3.2.0 and prior to version 3.3.2 in the `/display/map` API route inside the CMS. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `bounds` parameter. Users should upgrade to version 3.3.5, which fixes this issue. There are no known workarounds aside from upgrading.","aliases":["GHSA-7ww5-x9rm-qm89"],"modified":"2026-04-10T04:58:45.457864Z","published":"2023-05-30T20:18:40.895Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/33xxx/CVE-2023-33180.json","cwe_ids":["CWE-89"]},"references":[{"type":"WEB","url":"https://claroty.com/team82/disclosure-dashboard"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/33xxx/CVE-2023-33180.json"},{"type":"ADVISORY","url":"https://github.com/xibosignage/xibo-cms/security/advisories/GHSA-7ww5-x9rm-qm89"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33180"},{"type":"ADVISORY","url":"https://xibosignage.com/blog/security-advisory-2023-05/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/xibosignage/xibo-cms","events":[{"introduced":"4453faac47d80fc0a6241aa2da7123cb0b3afd90"},{"fixed":"6f5d4dd0c4a177faca6268a322a557afd4e17296"}]}],"versions":["3.2.0","3.2.1","3.3.0","3.3.1","3.3.2","3.3.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33180.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}