Gibbonedu

Gibbon

19 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6.9

CVE-2026-8209

Exploit
  • EPSS 0.29%
  • Veröffentlicht 09.05.2026 03:19:27
  • Zuletzt bearbeitet 12.05.2026 15:37:48

Gibbon versions before v30.0.01 are affected by a path traversal vulnerability resulting in DOS by attempting extraction of web application PHP files, failed .zip extraction results in deletion of the file and a DOS condition. Successful exploitation...

8.9

CVE-2026-8208

Exploit
  • EPSS 0.32%
  • Veröffentlicht 09.05.2026 02:58:43
  • Zuletzt bearbeitet 12.05.2026 15:37:48

Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or high...

7

CVE-2026-8207

Exploit
  • EPSS 0.23%
  • Veröffentlicht 09.05.2026 02:41:46
  • Zuletzt bearbeitet 12.05.2026 15:37:48

Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.php#L145 feature...

8.8

CVE-2025-26211

  • EPSS 0.16%
  • Veröffentlicht 27.05.2025 00:00:00
  • Zuletzt bearbeitet 18.07.2025 13:04:03

Gibbon before 29.0.00 allows CSRF.

3.5

CVE-2024-51337

Exploit
  • EPSS 0.59%
  • Veröffentlicht 21.11.2024 19:15:11
  • Zuletzt bearbeitet 17.07.2025 17:30:10

Cross Site Scripting vulnerability in Gibbon before v.27.0.01 and fixed in v.28.0.00 allows a remote attacker to obtain sensitive information via the email parameter found in /Gibbon/modules/User Admin/user_manage_editProcess.php.

6.1

CVE-2024-34831

Exploit
  • EPSS 0.86%
  • Veröffentlicht 10.09.2024 18:15:03
  • Zuletzt bearbeitet 17.07.2025 20:03:55

cross-site scripting (XSS) vulnerability in Gibbon Core v26.0.00 allows an attacker to execute arbitrary code via the imageLink parameter in the library_manage_catalog_editProcess.php component.

9.8

CVE-2024-24724

Exploit
  • EPSS 26.09%
  • Veröffentlicht 03.04.2024 03:15:09
  • Zuletzt bearbeitet 17.07.2025 17:09:42

Gibbon through 26.0.00 allows /modules/School%20Admin/messengerSettings.php Server Side Template Injection leading to Remote Code Execution because input is passed to the Twig template engine (messengerSettings.php) without sanitization.

8.8

CVE-2024-24725

Exploit
  • EPSS 51.32%
  • Veröffentlicht 23.03.2024 23:15:07
  • Zuletzt bearbeitet 29.07.2025 20:05:15

Gibbon through 26.0.00 allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the modules/System%20Admin/import_run.php&type=externalAssessment&step=4 URI.

7.2

CVE-2023-45880

Exploit
  • EPSS 1.21%
  • Veröffentlicht 14.11.2023 06:15:29
  • Zuletzt bearbeitet 21.11.2024 08:27:32

GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname (and extension). This allows c...

6.1

CVE-2023-45881

Exploit
  • EPSS 0.5%
  • Veröffentlicht 14.11.2023 06:15:29
  • Zuletzt bearbeitet 21.11.2024 08:27:33

GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resources_addQuick_ajaxProcess.php file upload with resultant XSS. The imageAsLinks parameter must be set to Y to return HTML code. The filename attribute of the bodyfile1 parameter is r...