CVE-2022-45179

Name of the Vulnerable Software and Affected Versions LIVEBOX Collaboration vDesk versions through v031

Description A basic XSS issue exists under the "/api/v1/vdeskintegration/todo/createorupdate" endpoint via the title parameter and "/dashboard/reminders". A remote user, authenticated to the product, can store arbitrary HTML code in the reminder section title to corrupt the web page, potentially creating phishing sections to exfiltrate victims' credentials.

Recommendations For versions through v031, as a temporary workaround, consider restricting access to the "/api/v1/vdeskintegration/todo/createorupdate" endpoint and the "/dashboard/reminders" page to minimize the risk of exploitation. Avoid using the title parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.