CVE-2023-32670

Name of the Vulnerable Software and Affected Versions BuddyBoss version 2.2.9

Description The issue is a Cross-Site Scripting vulnerability that could allow a local attacker with basic privileges to execute a malicious payload through the name parameter, specifically when set to image.jpg. This allows the assignment of a persistent JavaScript payload that would be triggered when the associated image is loaded.

Recommendations For BuddyBoss version 2.2.9, consider disabling the ability to upload images or restricting the use of the name parameter to minimize the risk of exploitation until a patch is available. Avoid using the name parameter in affected endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.