Philipp Fortmann

**Name of the Vulnerable Software and Affected Versions** K-Box versions prior to 0.33.1 **Description** K-Box is a web-based application to manage documents, images, videos, and geodata. A stored Cross-Site-Scripting (XSS) vulnerability is present in the markdown editor used by the document abstract and markdown file preview. A specifically crafted anchor link can, if clicked, execute untrusted javascript actions, like retrieving user cookies. **Recommendations** For versions prior to 0.33.1, update to version 0.33.1, which includes a patch that allows discarding unsafe links. As a temporary workaround, consider disabling the markdown editor until a patch is available. Restrict access to the markdown file preview to minimize the risk of exploitation. Avoid using the markdown editor to preview documents until the issue is resolved.