Remote Code Execution in Xibo CMS 3.3.4 via Zip‑Slip Path Traversal
What Happened — A path‑traversal (Zip‑Slip) flaw in Xibo CMS 3.3.4 (CVE‑2023‑33177) allows an authenticated attacker to upload a crafted ZIP file that writes a PHP web‑shell to the web root, granting remote code execution. The vulnerability affects all Xibo versions 1.8.0‑2.3.16 and 3.0.0‑3.3.4.
Why It Matters for TPRM —
- Remote code execution can be leveraged to pivot into downstream services, exfiltrate data, or disrupt operations.
- Many organizations use Xibo for digital signage; a compromised instance can become a foothold inside corporate networks.
- The exploit requires only valid user credentials, highlighting the need for strict access controls and timely patching.
Who Is Affected — Media & entertainment firms, retail chains, hospitality venues, and any organization that deploys Xibo digital‑signage CMS (vendor type: OTHER).
Recommended Actions —
- Verify whether any third‑party vendors or internal teams run Xibo CMS.
- Immediately upgrade to Xibo CMS 2.3.17+ or 3.3.5+ (or later).
- Enforce least‑privilege for layout‑import permissions; consider multi‑factor authentication for all Xibo accounts.
- Review logs for unexpected ZIP imports or newly created files in the web root.
Technical Notes — The flaw is a classic Zip‑Slip: the mapping.json inside an uploaded layout ZIP can contain ../../ sequences, causing the extractor to write files outside the intended directory. Exploitation yields a PHP web‑shell (shell.php) that executes arbitrary commands. No public CVE‑based exploit existed before this EDB entry, but the proof‑of‑concept is fully functional. Source: https://www.exploit-db.com/exploits/52500