Gibbon Security Vulnerabilities and Issues — Gibbon CVE List

Lucene search

GibboneduGibbon

4 matches found

CVE•added 2023/11/14 6:15 a.m.•83 views

CVE-2023-45878

GibbonEdu Gibbon version 25.0.1 and before allows Arbitrary File Write because rubrics_visualise_saveAjax.phps does not require authentication. The endpoint accepts the img, path, and gibbonPersonID parameters. The img parameter is expected to be a base64 encoded image. If the path parameter is set...

9.8CVSS9.7AI score0.93068EPSS

CVE•added 2023/11/14 6:15 a.m.•24 views

CVE-2023-45879

GibbonEdu Gibbon version 25.0.0 allows HTML Injection via an IFRAME element to the Messager component.

5.4CVSS5.6AI score0.00231EPSS

CVE•added 2023/11/14 6:15 a.m.•18 views

CVE-2023-45880

GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname (and extension). This allows creation of PHP files outside of the uploads direc...

7.2CVSS6.9AI score0.0043EPSS

CVE•added 2023/11/14 6:15 a.m.•18 views

CVE-2023-45881

GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resources_addQuick_ajaxProcess.php file upload with resultant XSS. The imageAsLinks parameter must be set to Y to return HTML code. The filename attribute of the bodyfile1 parameter is reflected in the response.

6.1CVSS6.2AI score0.00201EPSS