Xibo CMS 4.3.1 Release Notes (Key Security Information) Summary This release, Xibo CMS 4.3.1, is the first patch release for version 4.3. It includes several enhancements and fixes for various components of the system. Notably, some of these changes could impact security if not properly addressed. Below are the key points related to potential security vulnerabilities: Command: HTTP trigger command adds extra headers after edit (xibosignage/xibo#3735) - The alteration of HTTP headers could lead to security vulnerabilities, such as Cross-Site Request Forgery (CSRF) or Cross-Site Scripting (XSS), if not properly secured. Library: S3 thumbnail URLs should output a CORS header - Improper handling of Cross-Origin Resource Sharing (CORS) headers may result in unauthorized access to sensitive data or functionality from external origins. Reports: API Request History: Report shows incorrect/no data (xibosignage/xibo#3718) - If the API request history is not correctly logged or protected, it could lead to information exposure or unauthorized access. Library: Replace/Expire Media: Unable to delete expired media after replacement (xibosignage/xibo#3654)** - Insecure file deletion practices can leave remnants of sensitive data accessible, leading to data leakage. Recommendations The security team should thoroughly review the updates related to HTTP command handling, CORS header configuration, API request logging, and media file management to ensure that these changes do not introduce new vulnerabilities. Regular security audits and updates are essential for maintaining a secure system.