CVE-2025-40633

CVSS

No CVSS.

A

Stored Cross-Site Scripting (XSS) vulnerability has been found in Koibox for versions prior to e8cbce2. This vulnerability allows an authenticated attacker to upload an image containing malicious JavaScript code as profile picture in the '/es/dashboard/clientes/ficha/' endpoint

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-koibox

Configurations

No configuration.

History

21 May 2025, 20:25

Type	Values Removed	Values Added
Summary		(es) Se ha detectado una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en Koibox para versiones anteriores a e8cbce2. Esta vulnerabilidad permite a un atacante autenticado cargar una imagen con código JavaScript malicioso como foto de perfil en el endpoint '/es/dashboard/clientes/ficha/'.

20 May 2025, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-20 11:15

Updated : 2025-05-21 20:25

NVD link : CVE-2025-40633

Mitre link : CVE-2025-40633

CVE.ORG link : CVE-2025-40633

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-40633", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-20T11:15:48.630", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-koibox", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A Stored Cross-Site Scripting (XSS) vulnerability has been found in \nKoibox for versions prior to e8cbce2. This vulnerability allows an \nauthenticated attacker to upload an image containing malicious \nJavaScript code as profile picture in the \n'/es/dashboard/clientes/ficha/' endpoint"}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en Koibox para versiones anteriores a e8cbce2. Esta vulnerabilidad permite a un atacante autenticado cargar una imagen con c\u00f3digo JavaScript malicioso como foto de perfil en el endpoint '/es/dashboard/clientes/ficha/'."}], "lastModified": "2025-05-21T20:25:16.407", "sourceIdentifier": "[email protected]"}