CVE-2019-17625

Name of the Vulnerable Software and Affected Versions Rambox version 0.6.9

Description The issue is related to a stored XSS that can lead to code execution. It occurs in the name field when adding or editing a service due to incorrect sanitization. This allows a user to craft a payload, such as executing OS commands within the onerror attribute of an IMG element, targeting Node.js and Electron.

Recommendations For Rambox version 0.6.9, as a temporary workaround, consider disabling the ability to add or edit services until a patch is available. Restrict access to the name field in the service management functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.