Stored Cross-Site Scripting (XSS) in Koibox

Posted date 20/05/2025

Identificador

INCIBE-2025-0249

Importance

3 - Medium

Affected Resources

Koibox, versions prior to e8cbce2.

Description

INCIBE has coordinated the publication of a medium severity vulnerability affecting Koibox, a management software for beauty centres. This vulnerability has been discovered by David Padilla Alvarado.

This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector and CWE vulnerability type:

CVE-2025-40633: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79

Solution

The vulnerability has been resolved by Koibox team in version e8cbce2.

Detail

CVE-2025-40633: A Stored Cross-Site Scripting (XSS) vulnerability has been found in Koibox for versions prior to e8cbce2. This vulnerability allows an authenticated attacker to upload an image containing malicious JavaScript code as profile picture in the '/es/dashboard/clientes/ficha/' endpoint.

References list

Koibox

Etiquetas