Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Gibbon
(Gibbonedu)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 11 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-11-14 | CVE-2023-45879 | GibbonEdu Gibbon version 25.0.0 allows HTML Injection via an IFRAME element to the Messager component. | Gibbon | 5.4 | ||
| 2023-11-14 | CVE-2023-45880 | GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname (and extension). This allows creation of PHP files outside of the uploads directory, directly in the webroot. | Gibbon | 7.2 | ||
| 2023-11-14 | CVE-2023-45881 | GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resources_addQuick_ajaxProcess.php file upload with resultant XSS. The imageAsLinks parameter must be set to Y to return HTML code. The filename attribute of the bodyfile1 parameter is reflected in the response. | Gibbon | 6.1 | ||
| 2023-06-29 | CVE-2023-34598 | Gibbon v25.0.0 is vulnerable to a Local File Inclusion (LFI) where it's possible to include the content of several files present in the installation folder in the server's response. | Gibbon | 9.8 | ||
| 2023-06-29 | CVE-2023-34599 | Multiple Cross-Site Scripting (XSS) vulnerabilities have been identified in Gibbon v25.0.0, which enable attackers to execute arbitrary Javascript code. | Gibbon | 6.1 | ||
| 2022-05-25 | CVE-2022-27305 | Gibbon v23 does not generate a new session ID cookie after a user authenticates, making the application vulnerable to session fixation. | Gibbon | 8.8 | ||
| 2022-02-03 | CVE-2022-23871 | Multiple cross-site scripting (XSS) vulnerabilities in the component outcomes_addProcess.php of Gibbon CMS v22.0.01 allow attackers to execute arbitrary web scripts or HTML via a crafted payload insterted into the name, category, description parameters. | Gibbon | 5.4 | ||
| 2022-01-28 | CVE-2022-22868 | Gibbon CMS v22.0.01 was discovered to contain a cross-site scripting (XSS) vulnerability, that allows attackers to inject arbitrary script via name parameters. | Gibbon | 4.8 | ||
| 2021-09-13 | CVE-2021-40214 | Gibbon v22.0.00 suffers from a stored XSS vulnerability within the wall messages component. | Gibbon | 5.4 | ||
| 2021-09-03 | CVE-2021-40492 | A reflected XSS vulnerability exists in multiple pages in version 22 of the Gibbon application that allows for arbitrary execution of JavaScript (gibbonCourseClassID, gibbonPersonID, subpage, currentDate, or allStudents to index.php). | Gibbon | 6.1 |