CVE-2022-23637 in K-Box
Summary
by MITRE • 02/15/2022
K-Box is a web-based application to manage documents, images, videos and geodata. Prior to version 0.33.1, a stored Cross-Site-Scripting (XSS) vulnerability is present in the markdown editor used by the document abstract and markdown file preview. A specifically crafted anchor link can, if clicked, execute untrusted javascript actions, like retrieving user cookies. Version 0.33.1 includes a patch that allows discarding unsafe links.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/18/2022
The vulnerability identified as CVE-2022-23637 affects K-Box, a web-based document management system that handles various media types including documents, images, videos, and geodata. This application serves as a centralized platform for organizations to store, organize, and access digital content, making it a critical component in many information management workflows. The vulnerability resides within the markdown editor functionality that is utilized for creating document abstracts and previewing markdown files, representing a core feature that users rely upon for content creation and documentation.
The technical flaw manifests as a stored cross-site scripting vulnerability that occurs when the markdown editor processes anchor links containing malicious javascript code. Specifically, when a user creates or encounters a crafted anchor link within the markdown content, the vulnerability allows for the execution of untrusted javascript actions when the link is clicked by another user. This stored XSS vulnerability is particularly dangerous because the malicious code persists in the application's database and can affect multiple users who view the compromised content. The vulnerability is triggered through the processing of anchor elements in markdown syntax, where the application fails to properly sanitize or validate the href attributes of links before rendering them in the browser context.
The operational impact of this vulnerability is significant for organizations using K-Box, as it creates a persistent threat vector that can be exploited to steal user session cookies and potentially gain unauthorized access to user accounts. An attacker who can inject malicious content into the system can create anchor links that execute javascript code in the context of other users' browsers, enabling session hijacking, credential theft, and other malicious activities. The stored nature of the vulnerability means that even after the initial injection, the malicious code continues to execute every time affected users view the compromised content, making it particularly insidious and difficult to contain. This vulnerability directly violates security principles outlined in CWE-79, which addresses cross-site scripting flaws, and aligns with ATT&CK technique T1531 for credential access through manipulation of authentication tokens.
The vendor addressed this vulnerability in version 0.33.1 through a patch that implements a mechanism to discard unsafe links during the markdown processing phase. This mitigation approach specifically targets the root cause by preventing potentially dangerous anchor links from being rendered in the browser context, effectively neutralizing the XSS attack vector. The fix demonstrates a proper security response by implementing input validation and output sanitization measures to prevent malicious code execution. Organizations using affected versions of K-Box should immediately upgrade to version 0.33.1 or later to remediate this vulnerability, as the stored nature of the flaw means that any previously injected malicious content remains exploitable until the system is patched. The vulnerability highlights the importance of proper input validation in web applications, particularly when processing user-generated content that will be rendered in browser contexts, and serves as a reminder of the critical security implications of XSS vulnerabilities in content management systems.