CVE-2025-40633

Name of the Vulnerable Software and Affected Versions: Koibox versions prior to e8cbce2

Description: A Stored Cross-Site Scripting (XSS) issue has been found, allowing an authenticated attacker to upload an image containing malicious JavaScript code as a profile picture in the "/es/dashboard/clientes/ficha/" endpoint.

Recommendations: For versions prior to e8cbce2, update to a version that includes the fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the "/es/dashboard/clientes/ficha/" endpoint until a patch is available. Avoid allowing authenticated users to upload images that could contain malicious JavaScript code.