Xibo-cms versions prior to 4.4.1 contain an authenticated SSRF vulnerability (CWE-918) exploitable by users with DataSet permissions. This flaw allows these users to induce the CMS server to perform arbitrary HTTP requests to internal or external network resources, which can be leveraged to access sensitive internal services or cloud metadata endpoints. The vulnerability requires elevated privileges not typically granted to non-admin users. The vendor has released version 4.4.1 to fix this issue. Since xibo-cms is a cloud service, the vendor manages remediation server-side. Users should upgrade to 4.4.1 or restrict DataSet permissions to trusted users to mitigate risk.

An authenticated user with DataSet permissions can exploit this SSRF vulnerability to make arbitrary HTTP requests from the CMS server. This can lead to unauthorized access to internal network resources, cloud metadata endpoints (e.g., AWS IMDS), and unauthenticated internal services, potentially resulting in data exposure. The vulnerability does not impact confidentiality of data directly on the CMS but can be used as a pivot to gather sensitive information from internal infrastructure. The CVSS score of 4.9 reflects a medium severity impact with high confidentiality impact but no integrity or availability impact.

A fixed version 4.4.1 of xibo-cms is available and upgrading to this version is necessary to remediate the vulnerability. Since xibo-cms is a cloud-hosted service, the vendor manages remediation server-side, so users should verify with the vendor that their instance is updated. For users unable to upgrade immediately, it is recommended to revoke DataSet permissions from any users who are not fully trusted, as these privileges are required to exploit the vulnerability. No additional mitigations are indicated by the vendor advisory.