CVE-2025-40633 is a stored Cross-Site Scripting (XSS) vulnerability identified in Koibox, a software product used for client management or dashboard functionalities. The vulnerability affects all versions prior to commit e8cbce2. It specifically resides in the '/es/dashboard/clientes/ficha/' endpoint, where an authenticated attacker can upload an image as a profile picture containing malicious JavaScript code. Because this is a stored XSS, the malicious script is saved on the server and executed in the browsers of users who view the affected profile page. This vulnerability stems from improper neutralization of input during web page generation (CWE-79), meaning the application fails to sanitize or encode user-supplied data correctly before rendering it in the HTML context. The CVSS 4.0 base score is 5.1 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, no privileges, but does require the attacker to be authenticated and some user interaction to trigger the script. The vulnerability does not impact confidentiality, integrity, or availability directly but can lead to session hijacking, credential theft, or unauthorized actions performed in the context of the victim's browser session. No known exploits in the wild have been reported yet, and no official patches or mitigation links are provided at this time. The vulnerability was reserved in April 2025 and published in May 2025 by INCIBE, indicating recent discovery and disclosure.

For European organizations using Koibox, this vulnerability poses a risk primarily to the confidentiality and integrity of user sessions. An attacker with valid credentials can upload a malicious profile picture that executes JavaScript in the context of other users viewing that profile, potentially stealing session cookies, performing actions on behalf of users, or delivering further malware. This can lead to unauthorized access to sensitive client data, manipulation of client records, or lateral movement within the organization’s network. The impact is heightened in environments where Koibox is used to manage sensitive customer or client information, such as financial services, healthcare, or legal sectors prevalent in Europe. Additionally, GDPR compliance implications arise if personal data is exposed or manipulated due to exploitation of this vulnerability. Since exploitation requires authentication, insider threats or compromised accounts are the primary risk vectors. The lack of known exploits in the wild suggests limited immediate threat, but the medium severity score and ease of exploitation warrant prompt attention.

1. Immediate mitigation should include restricting the ability to upload profile pictures to trusted users only and implementing strict input validation and sanitization on image uploads to prevent embedded scripts. 2. Employ Content Security Policy (CSP) headers to restrict execution of inline scripts and limit the domains from which scripts can be loaded, reducing the impact of XSS payloads. 3. Monitor and audit user uploads for suspicious content, possibly using automated scanning tools that detect embedded scripts in image files. 4. Enforce multi-factor authentication (MFA) to reduce the risk of account compromise leading to exploitation. 5. Segregate user roles and permissions to minimize the number of users who can upload profile pictures. 6. Apply the patch or update to version e8cbce2 or later as soon as it becomes available from Koibox. 7. Educate users to recognize suspicious behavior and report anomalies. 8. Implement web application firewalls (WAF) with rules tuned to detect and block XSS payloads targeting this endpoint. These steps go beyond generic advice by focusing on the specific attack vector (image upload with embedded scripts) and the operational context of Koibox deployments.