CVE-2025-40633: Stored Cross-Site Scripting (XSS) in Koibox
5.1
CVSS
Description
A Stored Cross-Site Scripting (XSS) vulnerability has been found in
Koibox for versions prior to e8cbce2. This vulnerability allows an
authenticated attacker to upload an image containing malicious
JavaScript code as profile picture in the
'/es/dashboard/clientes/ficha/' endpoint
Classification
CVE ID: CVE-2025-40633
CVSS Base Severity: MEDIUM
CVSS Base Score: 5.1
CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Problem Types
CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')Affected Products
Vendor: Koibox
Product: Koibox
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.05% (probability of being exploited)
EPSS Percentile: 16.26% (scored less or equal to compared to others)
EPSS Date: 2025-05-31 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-40633https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-koibox