Wekan · Wekan · CVE-2023-28485
**Name of the Vulnerable Software and Affected Versions**
WeKan versions prior to 6.75
**Description**
A stored cross-site scripting (Stored XSS) issue in the file preview feature allows remote authenticated users to inject arbitrary web script or HTML via names of file attachments. Users with BoardAdmin access can rename attachments, and the `renameAttachment` function does not block XSS payloads.
**Recommendations**
For versions prior to 6.75, update to version 6.75 or later to resolve the issue.
As a temporary workaround, consider restricting the ability to rename attachments to prevent the injection of malicious scripts.