Impact
Session tokens are exposed in the return of session search API call on the sessions page. Subsequently they can be exfiltrated and used to hijack a session.
Users must be granted access to the session page, or be a super admin.
Patches
Users should upgrade to version 3.3.10 or 4.0.9 which fix this issue. Customers who host their CMS with Xibo Signage have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running.
Workarounds
Upgrading to a fixed version is necessary to remediate.
Patches are available for earlier versions of Xibo CMS that are out of security support:
References
Xibo Signage Security Advisory
Credit
Thanks to @Saadet-T (Saadet Elif Tokuoğlu) who discovered this issue.
Impact
Session tokens are exposed in the return of session search API call on the sessions page. Subsequently they can be exfiltrated and used to hijack a session.
Users must be granted access to the session page, or be a super admin.
Patches
Users should upgrade to version 3.3.10 or 4.0.9 which fix this issue. Customers who host their CMS with Xibo Signage have already received an upgrade or patch to resolve this issue regardless of the CMS version that they are running.
Workarounds
Upgrading to a fixed version is necessary to remediate.
Patches are available for earlier versions of Xibo CMS that are out of security support:
References
Xibo Signage Security Advisory
Credit
Thanks to @Saadet-T (Saadet Elif Tokuoğlu) who discovered this issue.