4 matches found
CVE-2023-45879
GibbonEdu Gibbon version 25.0.0 allows HTML Injection via an IFRAME element to the Messager component...
CVE-2023-45880
GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname and extension. This allows creation of PHP files outside of the uploads...
CVE-2023-45878
GibbonEdu Gibbon version 25.0.1 and before allows Arbitrary File Write because rubricsvisualisesaveAjax.phps does not require authentication. The endpoint accepts the img, path, and gibbonPersonID parameters. The img parameter is expected to be a base64 encoded image. If the path parameter is set...
PT-2023-29739 · Gibbon · Gibbon
Name of the Vulnerable Software and Affected Versions: GibbonEdu Gibbon versions 25.0.1 and before Description: The issue allows for Arbitrary File Write due to the lack of authentication in the rubrics visualise saveAjax.php file. This file accepts parameters such as img, path, and gibbonPersonI...