CVE-2025-40633

MEDIUM

Koibox < e8cbce2 - Authenticated Stored Cross-Site Scripting via Profile Picture Upload

Title source: llm
STIX 2.1

Description

A Stored Cross-Site Scripting (XSS) vulnerability has been found in Koibox for versions prior to e8cbce2. This vulnerability allows an authenticated attacker to upload an image containing malicious JavaScript code as profile picture in the '/es/dashboard/clientes/ficha/' endpoint

References (1)

Core 1

Scores

CVSS v4 5.1
EPSS 0.0030
EPSS Percentile 21.7%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Koibox/Koibox <e8cbce2
Published May 20, 2025
Tracked Since Feb 18, 2026