Search

Find a vulnerability

Search criteria

    28 vulnerabilities found for kodbox by kodcloud

    CVE-2026-1066 (GCVE-0-2026-1066)

    Vulnerability from nvd – Published: 2026-01-17 21:02 – Updated: 2026-02-23 08:34
    VLAI
    Title
    kalcaddle kodbox Compression zip command injection
    Summary
    A vulnerability was detected in kalcaddle kodbox up to 1.61.10. This issue affects some unknown processing of the file /?explorer/index/zip of the component Compression Handler. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.341665 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.341665 signaturepermissions-required
    https://vuldb.com/?submit.731436 third-party-advisory
    https://github.com/DReazer/CV3/blob/main/Krce.md exploit
    Impacted products
    Vendor Product Version
    kalcaddle kodbox Affected: 1.61.0
    Affected: 1.61.1
    Affected: 1.61.2
    Affected: 1.61.3
    Affected: 1.61.4
    Affected: 1.61.5
    Affected: 1.61.6
    Affected: 1.61.7
    Affected: 1.61.8
    Affected: 1.61.9
    Affected: 1.61.10
    Create a notification for this product.
    Credits
    Snkn0w (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1066",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-20T17:24:52.744283Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-20T17:24:58.266Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Compression Handler"
              ],
              "product": "kodbox",
              "vendor": "kalcaddle",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.61.0"
                },
                {
                  "status": "affected",
                  "version": "1.61.1"
                },
                {
                  "status": "affected",
                  "version": "1.61.2"
                },
                {
                  "status": "affected",
                  "version": "1.61.3"
                },
                {
                  "status": "affected",
                  "version": "1.61.4"
                },
                {
                  "status": "affected",
                  "version": "1.61.5"
                },
                {
                  "status": "affected",
                  "version": "1.61.6"
                },
                {
                  "status": "affected",
                  "version": "1.61.7"
                },
                {
                  "status": "affected",
                  "version": "1.61.8"
                },
                {
                  "status": "affected",
                  "version": "1.61.9"
                },
                {
                  "status": "affected",
                  "version": "1.61.10"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Snkn0w (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in kalcaddle kodbox up to 1.61.10. This issue affects some unknown processing of the file /?explorer/index/zip of the component Compression Handler. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "Command Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T08:34:40.545Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-341665 | kalcaddle kodbox Compression zip command injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.341665"
            },
            {
              "name": "VDB-341665 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.341665"
            },
            {
              "name": "Submit #731436 | kalcaddle kodbox \u003c=1.61.10 Command Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.731436"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/DReazer/CV3/blob/main/Krce.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-16T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-01-16T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-01-18T00:39:02.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "kalcaddle kodbox Compression zip command injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-1066",
        "datePublished": "2026-01-17T21:02:06.222Z",
        "dateReserved": "2026-01-16T19:32:40.823Z",
        "dateUpdated": "2026-02-23T08:34:40.545Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-10233 (GCVE-0-2025-10233)

    Vulnerability from nvd – Published: 2025-09-10 23:02 – Updated: 2025-09-11 14:29
    VLAI
    Title
    kalcaddle kodbox editor.class.php fileSave path traversal
    Summary
    A security vulnerability has been detected in kalcaddle kodbox 1.61. This affects the function fileGet/fileSave of the file app/controller/explorer/editor.class.php. The manipulation of the argument path leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    kalcaddle kodbox Affected: 1.61
    Create a notification for this product.
    Credits
    Yu Bao (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-10233",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-11T14:28:43.932374Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-11T14:29:03.494Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kodbox",
              "vendor": "kalcaddle",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.61"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Yu Bao (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in kalcaddle kodbox 1.61. This affects the function fileGet/fileSave of the file app/controller/explorer/editor.class.php. The manipulation of the argument path leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "In kalcaddle kodbox 1.61 wurde eine Schwachstelle gefunden. Hiervon betroffen ist die Funktion fileGet/fileSave der Datei app/controller/explorer/editor.class.php. Durch Manipulation des Arguments path mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Ein Angriff ist aus der Distanz m\u00f6glich. Die Schwachstelle wurde \u00f6ffentlich offengelegt und k\u00f6nnte ausgenutzt werden."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-10T23:02:05.674Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-323502 | kalcaddle kodbox editor.class.php fileSave path traversal",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.323502"
            },
            {
              "name": "VDB-323502 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.323502"
            },
            {
              "name": "Submit #641755 | kalcaddle kodbox V1.61.09 Arbitrary File Write\u200b RCE",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.641755"
            },
            {
              "name": "Submit #641757 | kalcaddle kodbox V1.61.09 Arbitrary File Read (Duplicate)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.641757"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://github.com/August829/Yu/blob/main/58ead8e7e08bfb012.md"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/August829/Yu/blob/main/58ead8e7e08bfb011.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-09-10T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-09-10T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-09-10T15:47:52.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "kalcaddle kodbox editor.class.php fileSave path traversal"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-10233",
        "datePublished": "2025-09-10T23:02:05.674Z",
        "dateReserved": "2025-09-10T13:42:42.775Z",
        "dateUpdated": "2025-09-11T14:29:03.494Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-9414 (GCVE-0-2025-9414)

    Vulnerability from nvd – Published: 2025-08-25 18:32 – Updated: 2025-08-25 19:00
    VLAI
    Title
    kalcaddle kodbox Download from Link serverDownload server-side request forgery
    Summary
    A vulnerability was found in kalcaddle kodbox 1.61. Affected by this vulnerability is an unknown functionality of the file /?explorer/upload/serverDownload of the component Download from Link Handler. Performing manipulation of the argument url results in server-side request forgery. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.321256 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.321256 signaturepermissions-required
    https://vuldb.com/?submit.633727 third-party-advisory
    https://gist.github.com/SysEternals/a03d45b582451… exploit
    Impacted products
    Vendor Product Version
    kalcaddle kodbox Affected: 1.61
    Create a notification for this product.
    Credits
    AquaNight (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9414",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-25T18:52:54.972034Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-25T19:00:18.358Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Download from Link Handler"
              ],
              "product": "kodbox",
              "vendor": "kalcaddle",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.61"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "AquaNight (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in kalcaddle kodbox 1.61. Affected by this vulnerability is an unknown functionality of the file /?explorer/upload/serverDownload of the component Download from Link Handler. Performing manipulation of the argument url results in server-side request forgery. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "Eine Schwachstelle wurde in kalcaddle kodbox 1.61 gefunden. Es geht um eine nicht n\u00e4her bekannte Funktion der Datei /?explorer/upload/serverDownload der Komponente Download from Link Handler. Die Ver\u00e4nderung des Parameters url resultiert in server-side request forgery. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5.8,
                "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "Server-Side Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-25T18:32:07.112Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-321256 | kalcaddle kodbox Download from Link serverDownload server-side request forgery",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.321256"
            },
            {
              "name": "VDB-321256 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.321256"
            },
            {
              "name": "Submit #633727 | KodCloud KodBox v1.61 Server-Side Request Forgery",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.633727"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/SysEternals/a03d45b582451f243f9c24076593c49c"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-08-25T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-08-25T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-08-25T11:10:21.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "kalcaddle kodbox Download from Link serverDownload server-side request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-9414",
        "datePublished": "2025-08-25T18:32:07.112Z",
        "dateReserved": "2025-08-25T09:05:18.132Z",
        "dateUpdated": "2025-08-25T19:00:18.358Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-51037 (GCVE-0-2024-51037)

    Vulnerability from nvd – Published: 2024-11-15 00:00 – Updated: 2024-11-18 19:11
    VLAI
    Summary
    An issue in kodbox v.1.52.04 and before allows a remote attacker to obtain sensitive information via the captcha feature in the password reset function.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-346 - Origin Validation Error
    Assigner
    Impacted products
    Vendor Product Version
    kalcaddle kodbox Affected: 0 , < 1.52.04 (custom)
        cpe:2.3:a:kalcaddle:kodbox:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:kalcaddle:kodbox:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "kodbox",
                "vendor": "kalcaddle",
                "versions": [
                  {
                    "lessThan": "1.52.04",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-51037",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-18T19:07:03.852021Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-346",
                    "description": "CWE-346 Origin Validation Error",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-18T19:11:02.523Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue in kodbox v.1.52.04 and before allows a remote attacker to obtain sensitive information via the captcha feature in the password reset function."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-15T18:52:36.408Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "http://kodbox.com"
            },
            {
              "url": "https://github.com/kalcaddle/kodbox"
            },
            {
              "url": "https://www.tommonkey.cn/2024/11/13/CVE-2024-51037-Disclosed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2024-51037",
        "datePublished": "2024-11-15T00:00:00.000Z",
        "dateReserved": "2024-10-28T00:00:00.000Z",
        "dateUpdated": "2024-11-18T19:11:02.523Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-52069 (GCVE-0-2023-52069)

    Vulnerability from nvd – Published: 2024-01-17 00:00 – Updated: 2025-06-02 15:06
    VLAI
    Summary
    kodbox v1.49.04 was discovered to contain a cross-site scripting (XSS) vulnerability via the URL parameter.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:48:12.162Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.mo60.cn/index.php/archives/Kodbox_Stored_Xss_2.html_Password_Xss_2"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.mo60.cn/index.php/archives/Kodbox_Stored_Xss_2.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-52069",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-08T17:35:59.531136Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-02T15:06:47.338Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "kodbox v1.49.04 was discovered to contain a cross-site scripting (XSS) vulnerability via the URL parameter."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-17T02:23:41.944Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://blog.mo60.cn/index.php/archives/Kodbox_Stored_Xss_2.html_Password_Xss_2"
            },
            {
              "url": "https://blog.mo60.cn/index.php/archives/Kodbox_Stored_Xss_2.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-52069",
        "datePublished": "2024-01-17T00:00:00.000Z",
        "dateReserved": "2023-12-26T00:00:00.000Z",
        "dateUpdated": "2025-06-02T15:06:47.338Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-52068 (GCVE-0-2023-52068)

    Vulnerability from nvd – Published: 2024-01-16 00:00 – Updated: 2025-06-17 15:11
    VLAI
    Summary
    kodbox v1.43 was discovered to contain a cross-site scripting (XSS) vulnerability via the operation and login logs.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:48:12.128Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.mo60.cn/index.php/archives/Kodbox_Stored_Xss.html_Password_Kodbox_Stored_Xss1"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-52068",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-01-17T16:37:59.472172Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T15:11:10.928Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "kodbox v1.43 was discovered to contain a cross-site scripting (XSS) vulnerability via the operation and login logs."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-16T21:47:17.298Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://blog.mo60.cn/index.php/archives/Kodbox_Stored_Xss.html_Password_Kodbox_Stored_Xss1"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-52068",
        "datePublished": "2024-01-16T00:00:00.000Z",
        "dateReserved": "2023-12-26T00:00:00.000Z",
        "dateUpdated": "2025-06-17T15:11:10.928Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-39691 (GCVE-0-2023-39691)

    Vulnerability from nvd – Published: 2024-01-16 00:00 – Updated: 2025-06-02 15:12
    VLAI
    Summary
    An issue discovered in kodbox through 1.43 allows attackers to arbitrarily add Administrator accounts via crafted GET request.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:18:09.655Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.mo60.cn/index.php/archives/kodbox_Logical.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-39691",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-09T23:34:32.371112Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "description": "CWE-noinfo Not enough information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-02T15:12:23.951Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue discovered in kodbox through 1.43 allows attackers to arbitrarily add Administrator accounts via crafted GET request."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-16T21:52:17.026Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://blog.mo60.cn/index.php/archives/kodbox_Logical.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-39691",
        "datePublished": "2024-01-16T00:00:00.000Z",
        "dateReserved": "2023-08-07T00:00:00.000Z",
        "dateUpdated": "2025-06-02T15:12:23.951Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-6849 (GCVE-0-2023-6849)

    Vulnerability from nvd – Published: 2023-12-16 08:00 – Updated: 2024-08-27 16:09
    VLAI
    Title
    kalcaddle kodbox app.php cover server-side request forgery
    Summary
    A vulnerability was found in kalcaddle kodbox up to 1.48. It has been rated as critical. Affected by this issue is the function cover of the file plugins/fileThumb/app.php. The manipulation of the argument path leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.48.04 is able to address this issue. The patch is identified as 63a4d5708d210f119c24afd941d01a943e25334c. It is recommended to upgrade the affected component. VDB-248210 is the identifier assigned to this vulnerability.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery
    Assigner
    Impacted products
    Vendor Product Version
    kalcaddle kodbox Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    Affected: 1.3
    Affected: 1.4
    Affected: 1.5
    Affected: 1.6
    Affected: 1.7
    Affected: 1.8
    Affected: 1.9
    Affected: 1.10
    Affected: 1.11
    Affected: 1.12
    Affected: 1.13
    Affected: 1.14
    Affected: 1.15
    Affected: 1.16
    Affected: 1.17
    Affected: 1.18
    Affected: 1.19
    Affected: 1.20
    Affected: 1.21
    Affected: 1.22
    Affected: 1.23
    Affected: 1.24
    Affected: 1.25
    Affected: 1.26
    Affected: 1.27
    Affected: 1.28
    Affected: 1.29
    Affected: 1.30
    Affected: 1.31
    Affected: 1.32
    Affected: 1.33
    Affected: 1.34
    Affected: 1.35
    Affected: 1.36
    Affected: 1.37
    Affected: 1.38
    Affected: 1.39
    Affected: 1.40
    Affected: 1.41
    Affected: 1.42
    Affected: 1.43
    Affected: 1.44
    Affected: 1.45
    Affected: 1.46
    Affected: 1.47
    Affected: 1.48
    Create a notification for this product.
    Credits
    glzjin (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:42:07.932Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?id.248210"
              },
              {
                "tags": [
                  "signature",
                  "permissions-required",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?ctiid.248210"
              },
              {
                "tags": [
                  "broken-link",
                  "exploit",
                  "x_transferred"
                ],
                "url": "https://note.zhaoj.in/share/jSsPAWT1pKsq"
              },
              {
                "tags": [
                  "patch",
                  "x_transferred"
                ],
                "url": "https://github.com/kalcaddle/kodbox/commit/63a4d5708d210f119c24afd941d01a943e25334c"
              },
              {
                "tags": [
                  "patch",
                  "x_transferred"
                ],
                "url": "https://github.com/kalcaddle/kodbox/releases/tag/1.48.04"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6849",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-27T16:08:31.309792Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-27T16:09:00.482Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kodbox",
              "vendor": "kalcaddle",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                },
                {
                  "status": "affected",
                  "version": "1.3"
                },
                {
                  "status": "affected",
                  "version": "1.4"
                },
                {
                  "status": "affected",
                  "version": "1.5"
                },
                {
                  "status": "affected",
                  "version": "1.6"
                },
                {
                  "status": "affected",
                  "version": "1.7"
                },
                {
                  "status": "affected",
                  "version": "1.8"
                },
                {
                  "status": "affected",
                  "version": "1.9"
                },
                {
                  "status": "affected",
                  "version": "1.10"
                },
                {
                  "status": "affected",
                  "version": "1.11"
                },
                {
                  "status": "affected",
                  "version": "1.12"
                },
                {
                  "status": "affected",
                  "version": "1.13"
                },
                {
                  "status": "affected",
                  "version": "1.14"
                },
                {
                  "status": "affected",
                  "version": "1.15"
                },
                {
                  "status": "affected",
                  "version": "1.16"
                },
                {
                  "status": "affected",
                  "version": "1.17"
                },
                {
                  "status": "affected",
                  "version": "1.18"
                },
                {
                  "status": "affected",
                  "version": "1.19"
                },
                {
                  "status": "affected",
                  "version": "1.20"
                },
                {
                  "status": "affected",
                  "version": "1.21"
                },
                {
                  "status": "affected",
                  "version": "1.22"
                },
                {
                  "status": "affected",
                  "version": "1.23"
                },
                {
                  "status": "affected",
                  "version": "1.24"
                },
                {
                  "status": "affected",
                  "version": "1.25"
                },
                {
                  "status": "affected",
                  "version": "1.26"
                },
                {
                  "status": "affected",
                  "version": "1.27"
                },
                {
                  "status": "affected",
                  "version": "1.28"
                },
                {
                  "status": "affected",
                  "version": "1.29"
                },
                {
                  "status": "affected",
                  "version": "1.30"
                },
                {
                  "status": "affected",
                  "version": "1.31"
                },
                {
                  "status": "affected",
                  "version": "1.32"
                },
                {
                  "status": "affected",
                  "version": "1.33"
                },
                {
                  "status": "affected",
                  "version": "1.34"
                },
                {
                  "status": "affected",
                  "version": "1.35"
                },
                {
                  "status": "affected",
                  "version": "1.36"
                },
                {
                  "status": "affected",
                  "version": "1.37"
                },
                {
                  "status": "affected",
                  "version": "1.38"
                },
                {
                  "status": "affected",
                  "version": "1.39"
                },
                {
                  "status": "affected",
                  "version": "1.40"
                },
                {
                  "status": "affected",
                  "version": "1.41"
                },
                {
                  "status": "affected",
                  "version": "1.42"
                },
                {
                  "status": "affected",
                  "version": "1.43"
                },
                {
                  "status": "affected",
                  "version": "1.44"
                },
                {
                  "status": "affected",
                  "version": "1.45"
                },
                {
                  "status": "affected",
                  "version": "1.46"
                },
                {
                  "status": "affected",
                  "version": "1.47"
                },
                {
                  "status": "affected",
                  "version": "1.48"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "glzjin (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in kalcaddle kodbox up to 1.48. It has been rated as critical. Affected by this issue is the function cover of the file plugins/fileThumb/app.php. The manipulation of the argument path leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.48.04 is able to address this issue. The patch is identified as 63a4d5708d210f119c24afd941d01a943e25334c. It is recommended to upgrade the affected component. VDB-248210 is the identifier assigned to this vulnerability."
            },
            {
              "lang": "de",
              "value": "Eine kritische Schwachstelle wurde in kalcaddle kodbox bis 1.48 ausgemacht. Davon betroffen ist die Funktion cover der Datei plugins/fileThumb/app.php. Mittels Manipulieren des Arguments path mit unbekannten Daten kann eine server-side request forgery-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 1.48.04 vermag dieses Problem zu l\u00f6sen. Der Patch wird als 63a4d5708d210f119c24afd941d01a943e25334c bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-13T07:25:37.384Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.248210"
            },
            {
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.248210"
            },
            {
              "tags": [
                "broken-link",
                "exploit"
              ],
              "url": "https://note.zhaoj.in/share/jSsPAWT1pKsq"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/kalcaddle/kodbox/commit/63a4d5708d210f119c24afd941d01a943e25334c"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/kalcaddle/kodbox/releases/tag/1.48.04"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-12-15T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2023-12-15T00:00:00.000Z",
              "value": "CVE reserved"
            },
            {
              "lang": "en",
              "time": "2023-12-15T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2024-01-11T15:07:08.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "kalcaddle kodbox app.php cover server-side request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2023-6849",
        "datePublished": "2023-12-16T08:00:06.005Z",
        "dateReserved": "2023-12-15T16:15:59.331Z",
        "dateUpdated": "2024-08-27T16:09:00.482Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-6848 (GCVE-0-2023-6848)

    Vulnerability from nvd – Published: 2023-12-16 06:31 – Updated: 2024-08-02 08:42
    VLAI
    Title
    kalcaddle kodbox index.class.php check command injection
    Summary
    A vulnerability was found in kalcaddle kodbox up to 1.48. It has been declared as critical. Affected by this vulnerability is the function check of the file plugins/officeViewer/controller/libreOffice/index.class.php. The manipulation of the argument soffice leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.48.04 is able to address this issue. The identifier of the patch is 63a4d5708d210f119c24afd941d01a943e25334c. It is recommended to upgrade the affected component. The identifier VDB-248209 was assigned to this vulnerability.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    kalcaddle kodbox Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    Affected: 1.3
    Affected: 1.4
    Affected: 1.5
    Affected: 1.6
    Affected: 1.7
    Affected: 1.8
    Affected: 1.9
    Affected: 1.10
    Affected: 1.11
    Affected: 1.12
    Affected: 1.13
    Affected: 1.14
    Affected: 1.15
    Affected: 1.16
    Affected: 1.17
    Affected: 1.18
    Affected: 1.19
    Affected: 1.20
    Affected: 1.21
    Affected: 1.22
    Affected: 1.23
    Affected: 1.24
    Affected: 1.25
    Affected: 1.26
    Affected: 1.27
    Affected: 1.28
    Affected: 1.29
    Affected: 1.30
    Affected: 1.31
    Affected: 1.32
    Affected: 1.33
    Affected: 1.34
    Affected: 1.35
    Affected: 1.36
    Affected: 1.37
    Affected: 1.38
    Affected: 1.39
    Affected: 1.40
    Affected: 1.41
    Affected: 1.42
    Affected: 1.43
    Affected: 1.44
    Affected: 1.45
    Affected: 1.46
    Affected: 1.47
    Affected: 1.48
    Create a notification for this product.
    Credits
    glzjin (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:42:07.684Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?id.248209"
              },
              {
                "tags": [
                  "signature",
                  "permissions-required",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?ctiid.248209"
              },
              {
                "tags": [
                  "broken-link",
                  "exploit",
                  "x_transferred"
                ],
                "url": "https://note.zhaoj.in/share/pf838kAzQyTQ"
              },
              {
                "tags": [
                  "patch",
                  "x_transferred"
                ],
                "url": "https://github.com/kalcaddle/kodbox/commit/63a4d5708d210f119c24afd941d01a943e25334c"
              },
              {
                "tags": [
                  "patch",
                  "x_transferred"
                ],
                "url": "https://github.com/kalcaddle/kodbox/releases/tag/1.48.04"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kodbox",
              "vendor": "kalcaddle",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                },
                {
                  "status": "affected",
                  "version": "1.3"
                },
                {
                  "status": "affected",
                  "version": "1.4"
                },
                {
                  "status": "affected",
                  "version": "1.5"
                },
                {
                  "status": "affected",
                  "version": "1.6"
                },
                {
                  "status": "affected",
                  "version": "1.7"
                },
                {
                  "status": "affected",
                  "version": "1.8"
                },
                {
                  "status": "affected",
                  "version": "1.9"
                },
                {
                  "status": "affected",
                  "version": "1.10"
                },
                {
                  "status": "affected",
                  "version": "1.11"
                },
                {
                  "status": "affected",
                  "version": "1.12"
                },
                {
                  "status": "affected",
                  "version": "1.13"
                },
                {
                  "status": "affected",
                  "version": "1.14"
                },
                {
                  "status": "affected",
                  "version": "1.15"
                },
                {
                  "status": "affected",
                  "version": "1.16"
                },
                {
                  "status": "affected",
                  "version": "1.17"
                },
                {
                  "status": "affected",
                  "version": "1.18"
                },
                {
                  "status": "affected",
                  "version": "1.19"
                },
                {
                  "status": "affected",
                  "version": "1.20"
                },
                {
                  "status": "affected",
                  "version": "1.21"
                },
                {
                  "status": "affected",
                  "version": "1.22"
                },
                {
                  "status": "affected",
                  "version": "1.23"
                },
                {
                  "status": "affected",
                  "version": "1.24"
                },
                {
                  "status": "affected",
                  "version": "1.25"
                },
                {
                  "status": "affected",
                  "version": "1.26"
                },
                {
                  "status": "affected",
                  "version": "1.27"
                },
                {
                  "status": "affected",
                  "version": "1.28"
                },
                {
                  "status": "affected",
                  "version": "1.29"
                },
                {
                  "status": "affected",
                  "version": "1.30"
                },
                {
                  "status": "affected",
                  "version": "1.31"
                },
                {
                  "status": "affected",
                  "version": "1.32"
                },
                {
                  "status": "affected",
                  "version": "1.33"
                },
                {
                  "status": "affected",
                  "version": "1.34"
                },
                {
                  "status": "affected",
                  "version": "1.35"
                },
                {
                  "status": "affected",
                  "version": "1.36"
                },
                {
                  "status": "affected",
                  "version": "1.37"
                },
                {
                  "status": "affected",
                  "version": "1.38"
                },
                {
                  "status": "affected",
                  "version": "1.39"
                },
                {
                  "status": "affected",
                  "version": "1.40"
                },
                {
                  "status": "affected",
                  "version": "1.41"
                },
                {
                  "status": "affected",
                  "version": "1.42"
                },
                {
                  "status": "affected",
                  "version": "1.43"
                },
                {
                  "status": "affected",
                  "version": "1.44"
                },
                {
                  "status": "affected",
                  "version": "1.45"
                },
                {
                  "status": "affected",
                  "version": "1.46"
                },
                {
                  "status": "affected",
                  "version": "1.47"
                },
                {
                  "status": "affected",
                  "version": "1.48"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "glzjin (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in kalcaddle kodbox up to 1.48. It has been declared as critical. Affected by this vulnerability is the function check of the file plugins/officeViewer/controller/libreOffice/index.class.php. The manipulation of the argument soffice leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.48.04 is able to address this issue. The identifier of the patch is 63a4d5708d210f119c24afd941d01a943e25334c. It is recommended to upgrade the affected component. The identifier VDB-248209 was assigned to this vulnerability."
            },
            {
              "lang": "de",
              "value": "In kalcaddle kodbox bis 1.48 wurde eine kritische Schwachstelle ausgemacht. Hierbei betrifft es die Funktion check der Datei plugins/officeViewer/controller/libreOffice/index.class.php. Mittels dem Manipulieren des Arguments soffice mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 1.48.04 vermag dieses Problem zu l\u00f6sen. Der Patch wird als 63a4d5708d210f119c24afd941d01a943e25334c bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "CWE-77 Command Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-13T07:25:23.055Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.248209"
            },
            {
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.248209"
            },
            {
              "tags": [
                "broken-link",
                "exploit"
              ],
              "url": "https://note.zhaoj.in/share/pf838kAzQyTQ"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/kalcaddle/kodbox/commit/63a4d5708d210f119c24afd941d01a943e25334c"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/kalcaddle/kodbox/releases/tag/1.48.04"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-12-15T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2023-12-15T00:00:00.000Z",
              "value": "CVE reserved"
            },
            {
              "lang": "en",
              "time": "2023-12-15T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2024-01-11T15:00:00.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "kalcaddle kodbox index.class.php check command injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2023-6848",
        "datePublished": "2023-12-16T06:31:04.404Z",
        "dateReserved": "2023-12-15T16:15:54.998Z",
        "dateUpdated": "2024-08-02T08:42:07.684Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-48028 (GCVE-0-2023-48028)

    Vulnerability from nvd – Published: 2023-11-17 00:00 – Updated: 2025-09-29 13:47
    VLAI
    Summary
    kodbox 1.46.01 has a security flaw that enables user enumeration. This problem is present on the login page, where an attacker can identify valid users based on varying response messages, potentially paving the way for a brute force attack.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T21:23:38.657Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://gist.github.com/bugplorer/9ae8ad7a9f2a3053ebd07a1b7b54deae"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://nitipoom-jar.github.io/CVE-2023-48028/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-48028",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-29T14:35:46.480621Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-29T14:36:48.503Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "kodbox 1.46.01 has a security flaw that enables user enumeration. This problem is present on the login page, where an attacker can identify valid users based on varying response messages, potentially paving the way for a brute force attack."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-29T13:47:45.687Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://gist.github.com/bugplorer/9ae8ad7a9f2a3053ebd07a1b7b54deae"
            },
            {
              "url": "https://nitipoom-jar.github.io/CVE-2023-48028/"
            },
            {
              "url": "https://nitipoom-jaroonchaipipat.github.io/security-research-portal/2023-48028"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-48028",
        "datePublished": "2023-11-17T00:00:00.000Z",
        "dateReserved": "2023-11-13T00:00:00.000Z",
        "dateUpdated": "2025-09-29T13:47:45.687Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-45998 (GCVE-0-2023-45998)

    Vulnerability from nvd – Published: 2023-10-23 00:00 – Updated: 2024-09-17 14:23
    VLAI
    Summary
    kodbox 1.44 is vulnerable to Cross Site Scripting (XSS). Customizing global HTML results in storing XSS.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:29:32.613Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://gist.github.com/fangjiuye/703fdb643db558640f23e4e7c9532348"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-45998",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-11T18:34:55.187870Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-17T14:23:25.603Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "kodbox 1.44 is vulnerable to Cross Site Scripting (XSS). Customizing global HTML results in storing XSS."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-23T21:33:38.353Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://gist.github.com/fangjiuye/703fdb643db558640f23e4e7c9532348"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-45998",
        "datePublished": "2023-10-23T00:00:00.000Z",
        "dateReserved": "2023-10-16T00:00:00.000Z",
        "dateUpdated": "2024-09-17T14:23:25.603Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3607 (GCVE-0-2023-3607)

    Vulnerability from nvd – Published: 2023-07-10 21:00 – Updated: 2024-08-02 07:01
    VLAI
    Title
    kodbox WebConsole Plug-In webconsole.php.txt Execute os command injection
    Summary
    A vulnerability was found in kodbox 1.26. It has been declared as critical. This vulnerability affects the function Execute of the file webconsole.php.txt of the component WebConsole Plug-In. The manipulation leads to os command injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-233476. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
    CWE
    • CWE-78 - OS Command Injection
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.233476 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.233476 signaturepermissions-required
    https://github.com/mohdkey/cve/blob/main/kodbox.md exploit
    Impacted products
    Vendor Product Version
    n/a kodbox Affected: 1.26
    Credits
    XCES (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:01:56.692Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?id.233476"
              },
              {
                "tags": [
                  "signature",
                  "permissions-required",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?ctiid.233476"
              },
              {
                "tags": [
                  "exploit",
                  "x_transferred"
                ],
                "url": "https://github.com/mohdkey/cve/blob/main/kodbox.md"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "WebConsole Plug-In"
              ],
              "product": "kodbox",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.26"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "analyst",
              "value": "XCES (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in kodbox 1.26. It has been declared as critical. This vulnerability affects the function Execute of the file webconsole.php.txt of the component WebConsole Plug-In. The manipulation leads to os command injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-233476. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "In kodbox 1.26 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Das betrifft die Funktion Execute der Datei webconsole.php.txt der Komponente WebConsole Plug-In. Dank Manipulation mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5.2,
                "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 OS Command Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-23T14:51:45.825Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.233476"
            },
            {
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.233476"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/mohdkey/cve/blob/main/kodbox.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-07-10T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2023-07-10T00:00:00.000Z",
              "value": "CVE reserved"
            },
            {
              "lang": "en",
              "time": "2023-07-10T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2023-07-27T14:03:29.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "kodbox WebConsole Plug-In webconsole.php.txt Execute os command injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2023-3607",
        "datePublished": "2023-07-10T21:00:05.507Z",
        "dateReserved": "2023-07-10T19:44:59.934Z",
        "dateUpdated": "2024-08-02T07:01:56.692Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-29790 (GCVE-0-2023-29790)

    Vulnerability from nvd – Published: 2023-05-12 00:00 – Updated: 2025-01-24 19:39
    VLAI
    Summary
    kodbox 1.2.x through 1.3.7 has a Sensitive Information Leakage issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-426 - Untrusted Search Path
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:14:39.909Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.mo60.cn/index.php/archives/kodbox.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-29790",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-24T19:39:26.080856Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-426",
                    "description": "CWE-426 Untrusted Search Path",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-24T19:39:30.236Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "kodbox 1.2.x through 1.3.7 has a Sensitive Information Leakage issue."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-12T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://blog.mo60.cn/index.php/archives/kodbox.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-29790",
        "datePublished": "2023-05-12T00:00:00.000Z",
        "dateReserved": "2023-04-07T00:00:00.000Z",
        "dateUpdated": "2025-01-24T19:39:30.236Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-29791 (GCVE-0-2023-29791)

    Vulnerability from nvd – Published: 2023-05-11 00:00 – Updated: 2025-01-28 20:40
    VLAI
    Summary
    kodbox <= 1.37 is vulnerable to Cross Site Scripting (XSS) via the debug information.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:14:39.946Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.mo60.cn/index.php/archives/kodbox-xss.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-29791",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-28T20:36:23.589549Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-28T20:40:06.493Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "kodbox \u003c= 1.37 is vulnerable to Cross Site Scripting (XSS) via the debug information."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-11T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://blog.mo60.cn/index.php/archives/kodbox-xss.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-29791",
        "datePublished": "2023-05-11T00:00:00.000Z",
        "dateReserved": "2023-04-07T00:00:00.000Z",
        "dateUpdated": "2025-01-28T20:40:06.493Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-1066 (GCVE-0-2026-1066)

    Vulnerability from cvelistv5 – Published: 2026-01-17 21:02 – Updated: 2026-02-23 08:34
    VLAI
    Title
    kalcaddle kodbox Compression zip command injection
    Summary
    A vulnerability was detected in kalcaddle kodbox up to 1.61.10. This issue affects some unknown processing of the file /?explorer/index/zip of the component Compression Handler. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.341665 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.341665 signaturepermissions-required
    https://vuldb.com/?submit.731436 third-party-advisory
    https://github.com/DReazer/CV3/blob/main/Krce.md exploit
    Impacted products
    Vendor Product Version
    kalcaddle kodbox Affected: 1.61.0
    Affected: 1.61.1
    Affected: 1.61.2
    Affected: 1.61.3
    Affected: 1.61.4
    Affected: 1.61.5
    Affected: 1.61.6
    Affected: 1.61.7
    Affected: 1.61.8
    Affected: 1.61.9
    Affected: 1.61.10
    Create a notification for this product.
    Credits
    Snkn0w (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1066",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-20T17:24:52.744283Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-20T17:24:58.266Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Compression Handler"
              ],
              "product": "kodbox",
              "vendor": "kalcaddle",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.61.0"
                },
                {
                  "status": "affected",
                  "version": "1.61.1"
                },
                {
                  "status": "affected",
                  "version": "1.61.2"
                },
                {
                  "status": "affected",
                  "version": "1.61.3"
                },
                {
                  "status": "affected",
                  "version": "1.61.4"
                },
                {
                  "status": "affected",
                  "version": "1.61.5"
                },
                {
                  "status": "affected",
                  "version": "1.61.6"
                },
                {
                  "status": "affected",
                  "version": "1.61.7"
                },
                {
                  "status": "affected",
                  "version": "1.61.8"
                },
                {
                  "status": "affected",
                  "version": "1.61.9"
                },
                {
                  "status": "affected",
                  "version": "1.61.10"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Snkn0w (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in kalcaddle kodbox up to 1.61.10. This issue affects some unknown processing of the file /?explorer/index/zip of the component Compression Handler. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "Command Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T08:34:40.545Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-341665 | kalcaddle kodbox Compression zip command injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.341665"
            },
            {
              "name": "VDB-341665 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.341665"
            },
            {
              "name": "Submit #731436 | kalcaddle kodbox \u003c=1.61.10 Command Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.731436"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/DReazer/CV3/blob/main/Krce.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-16T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-01-16T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-01-18T00:39:02.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "kalcaddle kodbox Compression zip command injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-1066",
        "datePublished": "2026-01-17T21:02:06.222Z",
        "dateReserved": "2026-01-16T19:32:40.823Z",
        "dateUpdated": "2026-02-23T08:34:40.545Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-10233 (GCVE-0-2025-10233)

    Vulnerability from cvelistv5 – Published: 2025-09-10 23:02 – Updated: 2025-09-11 14:29
    VLAI
    Title
    kalcaddle kodbox editor.class.php fileSave path traversal
    Summary
    A security vulnerability has been detected in kalcaddle kodbox 1.61. This affects the function fileGet/fileSave of the file app/controller/explorer/editor.class.php. The manipulation of the argument path leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    kalcaddle kodbox Affected: 1.61
    Create a notification for this product.
    Credits
    Yu Bao (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-10233",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-11T14:28:43.932374Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-11T14:29:03.494Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kodbox",
              "vendor": "kalcaddle",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.61"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Yu Bao (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in kalcaddle kodbox 1.61. This affects the function fileGet/fileSave of the file app/controller/explorer/editor.class.php. The manipulation of the argument path leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "In kalcaddle kodbox 1.61 wurde eine Schwachstelle gefunden. Hiervon betroffen ist die Funktion fileGet/fileSave der Datei app/controller/explorer/editor.class.php. Durch Manipulation des Arguments path mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Ein Angriff ist aus der Distanz m\u00f6glich. Die Schwachstelle wurde \u00f6ffentlich offengelegt und k\u00f6nnte ausgenutzt werden."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-10T23:02:05.674Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-323502 | kalcaddle kodbox editor.class.php fileSave path traversal",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.323502"
            },
            {
              "name": "VDB-323502 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.323502"
            },
            {
              "name": "Submit #641755 | kalcaddle kodbox V1.61.09 Arbitrary File Write\u200b RCE",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.641755"
            },
            {
              "name": "Submit #641757 | kalcaddle kodbox V1.61.09 Arbitrary File Read (Duplicate)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.641757"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://github.com/August829/Yu/blob/main/58ead8e7e08bfb012.md"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/August829/Yu/blob/main/58ead8e7e08bfb011.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-09-10T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-09-10T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-09-10T15:47:52.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "kalcaddle kodbox editor.class.php fileSave path traversal"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-10233",
        "datePublished": "2025-09-10T23:02:05.674Z",
        "dateReserved": "2025-09-10T13:42:42.775Z",
        "dateUpdated": "2025-09-11T14:29:03.494Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-9414 (GCVE-0-2025-9414)

    Vulnerability from cvelistv5 – Published: 2025-08-25 18:32 – Updated: 2025-08-25 19:00
    VLAI
    Title
    kalcaddle kodbox Download from Link serverDownload server-side request forgery
    Summary
    A vulnerability was found in kalcaddle kodbox 1.61. Affected by this vulnerability is an unknown functionality of the file /?explorer/upload/serverDownload of the component Download from Link Handler. Performing manipulation of the argument url results in server-side request forgery. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.321256 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.321256 signaturepermissions-required
    https://vuldb.com/?submit.633727 third-party-advisory
    https://gist.github.com/SysEternals/a03d45b582451… exploit
    Impacted products
    Vendor Product Version
    kalcaddle kodbox Affected: 1.61
    Create a notification for this product.
    Credits
    AquaNight (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-9414",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-25T18:52:54.972034Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-25T19:00:18.358Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Download from Link Handler"
              ],
              "product": "kodbox",
              "vendor": "kalcaddle",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.61"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "AquaNight (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in kalcaddle kodbox 1.61. Affected by this vulnerability is an unknown functionality of the file /?explorer/upload/serverDownload of the component Download from Link Handler. Performing manipulation of the argument url results in server-side request forgery. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "Eine Schwachstelle wurde in kalcaddle kodbox 1.61 gefunden. Es geht um eine nicht n\u00e4her bekannte Funktion der Datei /?explorer/upload/serverDownload der Komponente Download from Link Handler. Die Ver\u00e4nderung des Parameters url resultiert in server-side request forgery. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit wurde der \u00d6ffentlichkeit bekannt gemacht und k\u00f6nnte verwendet werden."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5.8,
                "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "Server-Side Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-25T18:32:07.112Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-321256 | kalcaddle kodbox Download from Link serverDownload server-side request forgery",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.321256"
            },
            {
              "name": "VDB-321256 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.321256"
            },
            {
              "name": "Submit #633727 | KodCloud KodBox v1.61 Server-Side Request Forgery",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.633727"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://gist.github.com/SysEternals/a03d45b582451f243f9c24076593c49c"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-08-25T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-08-25T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-08-25T11:10:21.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "kalcaddle kodbox Download from Link serverDownload server-side request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-9414",
        "datePublished": "2025-08-25T18:32:07.112Z",
        "dateReserved": "2025-08-25T09:05:18.132Z",
        "dateUpdated": "2025-08-25T19:00:18.358Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-51037 (GCVE-0-2024-51037)

    Vulnerability from cvelistv5 – Published: 2024-11-15 00:00 – Updated: 2024-11-18 19:11
    VLAI
    Summary
    An issue in kodbox v.1.52.04 and before allows a remote attacker to obtain sensitive information via the captcha feature in the password reset function.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-346 - Origin Validation Error
    Assigner
    Impacted products
    Vendor Product Version
    kalcaddle kodbox Affected: 0 , < 1.52.04 (custom)
        cpe:2.3:a:kalcaddle:kodbox:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:kalcaddle:kodbox:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "kodbox",
                "vendor": "kalcaddle",
                "versions": [
                  {
                    "lessThan": "1.52.04",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-51037",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-18T19:07:03.852021Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-346",
                    "description": "CWE-346 Origin Validation Error",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-18T19:11:02.523Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue in kodbox v.1.52.04 and before allows a remote attacker to obtain sensitive information via the captcha feature in the password reset function."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-15T18:52:36.408Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "http://kodbox.com"
            },
            {
              "url": "https://github.com/kalcaddle/kodbox"
            },
            {
              "url": "https://www.tommonkey.cn/2024/11/13/CVE-2024-51037-Disclosed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2024-51037",
        "datePublished": "2024-11-15T00:00:00.000Z",
        "dateReserved": "2024-10-28T00:00:00.000Z",
        "dateUpdated": "2024-11-18T19:11:02.523Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-52069 (GCVE-0-2023-52069)

    Vulnerability from cvelistv5 – Published: 2024-01-17 00:00 – Updated: 2025-06-02 15:06
    VLAI
    Summary
    kodbox v1.49.04 was discovered to contain a cross-site scripting (XSS) vulnerability via the URL parameter.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:48:12.162Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.mo60.cn/index.php/archives/Kodbox_Stored_Xss_2.html_Password_Xss_2"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.mo60.cn/index.php/archives/Kodbox_Stored_Xss_2.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.4,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "LOW",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-52069",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-08T17:35:59.531136Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-02T15:06:47.338Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "kodbox v1.49.04 was discovered to contain a cross-site scripting (XSS) vulnerability via the URL parameter."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-17T02:23:41.944Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://blog.mo60.cn/index.php/archives/Kodbox_Stored_Xss_2.html_Password_Xss_2"
            },
            {
              "url": "https://blog.mo60.cn/index.php/archives/Kodbox_Stored_Xss_2.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-52069",
        "datePublished": "2024-01-17T00:00:00.000Z",
        "dateReserved": "2023-12-26T00:00:00.000Z",
        "dateUpdated": "2025-06-02T15:06:47.338Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-52068 (GCVE-0-2023-52068)

    Vulnerability from cvelistv5 – Published: 2024-01-16 00:00 – Updated: 2025-06-17 15:11
    VLAI
    Summary
    kodbox v1.43 was discovered to contain a cross-site scripting (XSS) vulnerability via the operation and login logs.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:48:12.128Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.mo60.cn/index.php/archives/Kodbox_Stored_Xss.html_Password_Kodbox_Stored_Xss1"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-52068",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-01-17T16:37:59.472172Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T15:11:10.928Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "kodbox v1.43 was discovered to contain a cross-site scripting (XSS) vulnerability via the operation and login logs."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-16T21:47:17.298Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://blog.mo60.cn/index.php/archives/Kodbox_Stored_Xss.html_Password_Kodbox_Stored_Xss1"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-52068",
        "datePublished": "2024-01-16T00:00:00.000Z",
        "dateReserved": "2023-12-26T00:00:00.000Z",
        "dateUpdated": "2025-06-17T15:11:10.928Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-39691 (GCVE-0-2023-39691)

    Vulnerability from cvelistv5 – Published: 2024-01-16 00:00 – Updated: 2025-06-02 15:12
    VLAI
    Summary
    An issue discovered in kodbox through 1.43 allows attackers to arbitrarily add Administrator accounts via crafted GET request.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T18:18:09.655Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.mo60.cn/index.php/archives/kodbox_Logical.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-39691",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-09T23:34:32.371112Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "description": "CWE-noinfo Not enough information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-02T15:12:23.951Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "An issue discovered in kodbox through 1.43 allows attackers to arbitrarily add Administrator accounts via crafted GET request."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-16T21:52:17.026Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://blog.mo60.cn/index.php/archives/kodbox_Logical.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-39691",
        "datePublished": "2024-01-16T00:00:00.000Z",
        "dateReserved": "2023-08-07T00:00:00.000Z",
        "dateUpdated": "2025-06-02T15:12:23.951Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-6849 (GCVE-0-2023-6849)

    Vulnerability from cvelistv5 – Published: 2023-12-16 08:00 – Updated: 2024-08-27 16:09
    VLAI
    Title
    kalcaddle kodbox app.php cover server-side request forgery
    Summary
    A vulnerability was found in kalcaddle kodbox up to 1.48. It has been rated as critical. Affected by this issue is the function cover of the file plugins/fileThumb/app.php. The manipulation of the argument path leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.48.04 is able to address this issue. The patch is identified as 63a4d5708d210f119c24afd941d01a943e25334c. It is recommended to upgrade the affected component. VDB-248210 is the identifier assigned to this vulnerability.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery
    Assigner
    Impacted products
    Vendor Product Version
    kalcaddle kodbox Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    Affected: 1.3
    Affected: 1.4
    Affected: 1.5
    Affected: 1.6
    Affected: 1.7
    Affected: 1.8
    Affected: 1.9
    Affected: 1.10
    Affected: 1.11
    Affected: 1.12
    Affected: 1.13
    Affected: 1.14
    Affected: 1.15
    Affected: 1.16
    Affected: 1.17
    Affected: 1.18
    Affected: 1.19
    Affected: 1.20
    Affected: 1.21
    Affected: 1.22
    Affected: 1.23
    Affected: 1.24
    Affected: 1.25
    Affected: 1.26
    Affected: 1.27
    Affected: 1.28
    Affected: 1.29
    Affected: 1.30
    Affected: 1.31
    Affected: 1.32
    Affected: 1.33
    Affected: 1.34
    Affected: 1.35
    Affected: 1.36
    Affected: 1.37
    Affected: 1.38
    Affected: 1.39
    Affected: 1.40
    Affected: 1.41
    Affected: 1.42
    Affected: 1.43
    Affected: 1.44
    Affected: 1.45
    Affected: 1.46
    Affected: 1.47
    Affected: 1.48
    Create a notification for this product.
    Credits
    glzjin (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:42:07.932Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?id.248210"
              },
              {
                "tags": [
                  "signature",
                  "permissions-required",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?ctiid.248210"
              },
              {
                "tags": [
                  "broken-link",
                  "exploit",
                  "x_transferred"
                ],
                "url": "https://note.zhaoj.in/share/jSsPAWT1pKsq"
              },
              {
                "tags": [
                  "patch",
                  "x_transferred"
                ],
                "url": "https://github.com/kalcaddle/kodbox/commit/63a4d5708d210f119c24afd941d01a943e25334c"
              },
              {
                "tags": [
                  "patch",
                  "x_transferred"
                ],
                "url": "https://github.com/kalcaddle/kodbox/releases/tag/1.48.04"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6849",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-27T16:08:31.309792Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-27T16:09:00.482Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kodbox",
              "vendor": "kalcaddle",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                },
                {
                  "status": "affected",
                  "version": "1.3"
                },
                {
                  "status": "affected",
                  "version": "1.4"
                },
                {
                  "status": "affected",
                  "version": "1.5"
                },
                {
                  "status": "affected",
                  "version": "1.6"
                },
                {
                  "status": "affected",
                  "version": "1.7"
                },
                {
                  "status": "affected",
                  "version": "1.8"
                },
                {
                  "status": "affected",
                  "version": "1.9"
                },
                {
                  "status": "affected",
                  "version": "1.10"
                },
                {
                  "status": "affected",
                  "version": "1.11"
                },
                {
                  "status": "affected",
                  "version": "1.12"
                },
                {
                  "status": "affected",
                  "version": "1.13"
                },
                {
                  "status": "affected",
                  "version": "1.14"
                },
                {
                  "status": "affected",
                  "version": "1.15"
                },
                {
                  "status": "affected",
                  "version": "1.16"
                },
                {
                  "status": "affected",
                  "version": "1.17"
                },
                {
                  "status": "affected",
                  "version": "1.18"
                },
                {
                  "status": "affected",
                  "version": "1.19"
                },
                {
                  "status": "affected",
                  "version": "1.20"
                },
                {
                  "status": "affected",
                  "version": "1.21"
                },
                {
                  "status": "affected",
                  "version": "1.22"
                },
                {
                  "status": "affected",
                  "version": "1.23"
                },
                {
                  "status": "affected",
                  "version": "1.24"
                },
                {
                  "status": "affected",
                  "version": "1.25"
                },
                {
                  "status": "affected",
                  "version": "1.26"
                },
                {
                  "status": "affected",
                  "version": "1.27"
                },
                {
                  "status": "affected",
                  "version": "1.28"
                },
                {
                  "status": "affected",
                  "version": "1.29"
                },
                {
                  "status": "affected",
                  "version": "1.30"
                },
                {
                  "status": "affected",
                  "version": "1.31"
                },
                {
                  "status": "affected",
                  "version": "1.32"
                },
                {
                  "status": "affected",
                  "version": "1.33"
                },
                {
                  "status": "affected",
                  "version": "1.34"
                },
                {
                  "status": "affected",
                  "version": "1.35"
                },
                {
                  "status": "affected",
                  "version": "1.36"
                },
                {
                  "status": "affected",
                  "version": "1.37"
                },
                {
                  "status": "affected",
                  "version": "1.38"
                },
                {
                  "status": "affected",
                  "version": "1.39"
                },
                {
                  "status": "affected",
                  "version": "1.40"
                },
                {
                  "status": "affected",
                  "version": "1.41"
                },
                {
                  "status": "affected",
                  "version": "1.42"
                },
                {
                  "status": "affected",
                  "version": "1.43"
                },
                {
                  "status": "affected",
                  "version": "1.44"
                },
                {
                  "status": "affected",
                  "version": "1.45"
                },
                {
                  "status": "affected",
                  "version": "1.46"
                },
                {
                  "status": "affected",
                  "version": "1.47"
                },
                {
                  "status": "affected",
                  "version": "1.48"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "glzjin (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in kalcaddle kodbox up to 1.48. It has been rated as critical. Affected by this issue is the function cover of the file plugins/fileThumb/app.php. The manipulation of the argument path leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.48.04 is able to address this issue. The patch is identified as 63a4d5708d210f119c24afd941d01a943e25334c. It is recommended to upgrade the affected component. VDB-248210 is the identifier assigned to this vulnerability."
            },
            {
              "lang": "de",
              "value": "Eine kritische Schwachstelle wurde in kalcaddle kodbox bis 1.48 ausgemacht. Davon betroffen ist die Funktion cover der Datei plugins/fileThumb/app.php. Mittels Manipulieren des Arguments path mit unbekannten Daten kann eine server-side request forgery-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 1.48.04 vermag dieses Problem zu l\u00f6sen. Der Patch wird als 63a4d5708d210f119c24afd941d01a943e25334c bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-13T07:25:37.384Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.248210"
            },
            {
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.248210"
            },
            {
              "tags": [
                "broken-link",
                "exploit"
              ],
              "url": "https://note.zhaoj.in/share/jSsPAWT1pKsq"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/kalcaddle/kodbox/commit/63a4d5708d210f119c24afd941d01a943e25334c"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/kalcaddle/kodbox/releases/tag/1.48.04"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-12-15T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2023-12-15T00:00:00.000Z",
              "value": "CVE reserved"
            },
            {
              "lang": "en",
              "time": "2023-12-15T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2024-01-11T15:07:08.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "kalcaddle kodbox app.php cover server-side request forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2023-6849",
        "datePublished": "2023-12-16T08:00:06.005Z",
        "dateReserved": "2023-12-15T16:15:59.331Z",
        "dateUpdated": "2024-08-27T16:09:00.482Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-6848 (GCVE-0-2023-6848)

    Vulnerability from cvelistv5 – Published: 2023-12-16 06:31 – Updated: 2024-08-02 08:42
    VLAI
    Title
    kalcaddle kodbox index.class.php check command injection
    Summary
    A vulnerability was found in kalcaddle kodbox up to 1.48. It has been declared as critical. Affected by this vulnerability is the function check of the file plugins/officeViewer/controller/libreOffice/index.class.php. The manipulation of the argument soffice leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.48.04 is able to address this issue. The identifier of the patch is 63a4d5708d210f119c24afd941d01a943e25334c. It is recommended to upgrade the affected component. The identifier VDB-248209 was assigned to this vulnerability.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    kalcaddle kodbox Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    Affected: 1.3
    Affected: 1.4
    Affected: 1.5
    Affected: 1.6
    Affected: 1.7
    Affected: 1.8
    Affected: 1.9
    Affected: 1.10
    Affected: 1.11
    Affected: 1.12
    Affected: 1.13
    Affected: 1.14
    Affected: 1.15
    Affected: 1.16
    Affected: 1.17
    Affected: 1.18
    Affected: 1.19
    Affected: 1.20
    Affected: 1.21
    Affected: 1.22
    Affected: 1.23
    Affected: 1.24
    Affected: 1.25
    Affected: 1.26
    Affected: 1.27
    Affected: 1.28
    Affected: 1.29
    Affected: 1.30
    Affected: 1.31
    Affected: 1.32
    Affected: 1.33
    Affected: 1.34
    Affected: 1.35
    Affected: 1.36
    Affected: 1.37
    Affected: 1.38
    Affected: 1.39
    Affected: 1.40
    Affected: 1.41
    Affected: 1.42
    Affected: 1.43
    Affected: 1.44
    Affected: 1.45
    Affected: 1.46
    Affected: 1.47
    Affected: 1.48
    Create a notification for this product.
    Credits
    glzjin (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:42:07.684Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?id.248209"
              },
              {
                "tags": [
                  "signature",
                  "permissions-required",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?ctiid.248209"
              },
              {
                "tags": [
                  "broken-link",
                  "exploit",
                  "x_transferred"
                ],
                "url": "https://note.zhaoj.in/share/pf838kAzQyTQ"
              },
              {
                "tags": [
                  "patch",
                  "x_transferred"
                ],
                "url": "https://github.com/kalcaddle/kodbox/commit/63a4d5708d210f119c24afd941d01a943e25334c"
              },
              {
                "tags": [
                  "patch",
                  "x_transferred"
                ],
                "url": "https://github.com/kalcaddle/kodbox/releases/tag/1.48.04"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "kodbox",
              "vendor": "kalcaddle",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                },
                {
                  "status": "affected",
                  "version": "1.3"
                },
                {
                  "status": "affected",
                  "version": "1.4"
                },
                {
                  "status": "affected",
                  "version": "1.5"
                },
                {
                  "status": "affected",
                  "version": "1.6"
                },
                {
                  "status": "affected",
                  "version": "1.7"
                },
                {
                  "status": "affected",
                  "version": "1.8"
                },
                {
                  "status": "affected",
                  "version": "1.9"
                },
                {
                  "status": "affected",
                  "version": "1.10"
                },
                {
                  "status": "affected",
                  "version": "1.11"
                },
                {
                  "status": "affected",
                  "version": "1.12"
                },
                {
                  "status": "affected",
                  "version": "1.13"
                },
                {
                  "status": "affected",
                  "version": "1.14"
                },
                {
                  "status": "affected",
                  "version": "1.15"
                },
                {
                  "status": "affected",
                  "version": "1.16"
                },
                {
                  "status": "affected",
                  "version": "1.17"
                },
                {
                  "status": "affected",
                  "version": "1.18"
                },
                {
                  "status": "affected",
                  "version": "1.19"
                },
                {
                  "status": "affected",
                  "version": "1.20"
                },
                {
                  "status": "affected",
                  "version": "1.21"
                },
                {
                  "status": "affected",
                  "version": "1.22"
                },
                {
                  "status": "affected",
                  "version": "1.23"
                },
                {
                  "status": "affected",
                  "version": "1.24"
                },
                {
                  "status": "affected",
                  "version": "1.25"
                },
                {
                  "status": "affected",
                  "version": "1.26"
                },
                {
                  "status": "affected",
                  "version": "1.27"
                },
                {
                  "status": "affected",
                  "version": "1.28"
                },
                {
                  "status": "affected",
                  "version": "1.29"
                },
                {
                  "status": "affected",
                  "version": "1.30"
                },
                {
                  "status": "affected",
                  "version": "1.31"
                },
                {
                  "status": "affected",
                  "version": "1.32"
                },
                {
                  "status": "affected",
                  "version": "1.33"
                },
                {
                  "status": "affected",
                  "version": "1.34"
                },
                {
                  "status": "affected",
                  "version": "1.35"
                },
                {
                  "status": "affected",
                  "version": "1.36"
                },
                {
                  "status": "affected",
                  "version": "1.37"
                },
                {
                  "status": "affected",
                  "version": "1.38"
                },
                {
                  "status": "affected",
                  "version": "1.39"
                },
                {
                  "status": "affected",
                  "version": "1.40"
                },
                {
                  "status": "affected",
                  "version": "1.41"
                },
                {
                  "status": "affected",
                  "version": "1.42"
                },
                {
                  "status": "affected",
                  "version": "1.43"
                },
                {
                  "status": "affected",
                  "version": "1.44"
                },
                {
                  "status": "affected",
                  "version": "1.45"
                },
                {
                  "status": "affected",
                  "version": "1.46"
                },
                {
                  "status": "affected",
                  "version": "1.47"
                },
                {
                  "status": "affected",
                  "version": "1.48"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "glzjin (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in kalcaddle kodbox up to 1.48. It has been declared as critical. Affected by this vulnerability is the function check of the file plugins/officeViewer/controller/libreOffice/index.class.php. The manipulation of the argument soffice leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.48.04 is able to address this issue. The identifier of the patch is 63a4d5708d210f119c24afd941d01a943e25334c. It is recommended to upgrade the affected component. The identifier VDB-248209 was assigned to this vulnerability."
            },
            {
              "lang": "de",
              "value": "In kalcaddle kodbox bis 1.48 wurde eine kritische Schwachstelle ausgemacht. Hierbei betrifft es die Funktion check der Datei plugins/officeViewer/controller/libreOffice/index.class.php. Mittels dem Manipulieren des Arguments soffice mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 1.48.04 vermag dieses Problem zu l\u00f6sen. Der Patch wird als 63a4d5708d210f119c24afd941d01a943e25334c bezeichnet. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "CWE-77 Command Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-13T07:25:23.055Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.248209"
            },
            {
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.248209"
            },
            {
              "tags": [
                "broken-link",
                "exploit"
              ],
              "url": "https://note.zhaoj.in/share/pf838kAzQyTQ"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/kalcaddle/kodbox/commit/63a4d5708d210f119c24afd941d01a943e25334c"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/kalcaddle/kodbox/releases/tag/1.48.04"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-12-15T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2023-12-15T00:00:00.000Z",
              "value": "CVE reserved"
            },
            {
              "lang": "en",
              "time": "2023-12-15T01:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2024-01-11T15:00:00.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "kalcaddle kodbox index.class.php check command injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2023-6848",
        "datePublished": "2023-12-16T06:31:04.404Z",
        "dateReserved": "2023-12-15T16:15:54.998Z",
        "dateUpdated": "2024-08-02T08:42:07.684Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-48028 (GCVE-0-2023-48028)

    Vulnerability from cvelistv5 – Published: 2023-11-17 00:00 – Updated: 2025-09-29 13:47
    VLAI
    Summary
    kodbox 1.46.01 has a security flaw that enables user enumeration. This problem is present on the login page, where an attacker can identify valid users based on varying response messages, potentially paving the way for a brute force attack.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T21:23:38.657Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://gist.github.com/bugplorer/9ae8ad7a9f2a3053ebd07a1b7b54deae"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://nitipoom-jar.github.io/CVE-2023-48028/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-48028",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-29T14:35:46.480621Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-29T14:36:48.503Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "kodbox 1.46.01 has a security flaw that enables user enumeration. This problem is present on the login page, where an attacker can identify valid users based on varying response messages, potentially paving the way for a brute force attack."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-29T13:47:45.687Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://gist.github.com/bugplorer/9ae8ad7a9f2a3053ebd07a1b7b54deae"
            },
            {
              "url": "https://nitipoom-jar.github.io/CVE-2023-48028/"
            },
            {
              "url": "https://nitipoom-jaroonchaipipat.github.io/security-research-portal/2023-48028"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-48028",
        "datePublished": "2023-11-17T00:00:00.000Z",
        "dateReserved": "2023-11-13T00:00:00.000Z",
        "dateUpdated": "2025-09-29T13:47:45.687Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-45998 (GCVE-0-2023-45998)

    Vulnerability from cvelistv5 – Published: 2023-10-23 00:00 – Updated: 2024-09-17 14:23
    VLAI
    Summary
    kodbox 1.44 is vulnerable to Cross Site Scripting (XSS). Customizing global HTML results in storing XSS.
    Severity
    No CVSS data available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:29:32.613Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://gist.github.com/fangjiuye/703fdb643db558640f23e4e7c9532348"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-45998",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-11T18:34:55.187870Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-17T14:23:25.603Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "kodbox 1.44 is vulnerable to Cross Site Scripting (XSS). Customizing global HTML results in storing XSS."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-23T21:33:38.353Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://gist.github.com/fangjiuye/703fdb643db558640f23e4e7c9532348"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-45998",
        "datePublished": "2023-10-23T00:00:00.000Z",
        "dateReserved": "2023-10-16T00:00:00.000Z",
        "dateUpdated": "2024-09-17T14:23:25.603Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-3607 (GCVE-0-2023-3607)

    Vulnerability from cvelistv5 – Published: 2023-07-10 21:00 – Updated: 2024-08-02 07:01
    VLAI
    Title
    kodbox WebConsole Plug-In webconsole.php.txt Execute os command injection
    Summary
    A vulnerability was found in kodbox 1.26. It has been declared as critical. This vulnerability affects the function Execute of the file webconsole.php.txt of the component WebConsole Plug-In. The manipulation leads to os command injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-233476. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
    CWE
    • CWE-78 - OS Command Injection
    Assigner
    References
    URL Tags
    https://vuldb.com/?id.233476 vdb-entrytechnical-description
    https://vuldb.com/?ctiid.233476 signaturepermissions-required
    https://github.com/mohdkey/cve/blob/main/kodbox.md exploit
    Impacted products
    Vendor Product Version
    n/a kodbox Affected: 1.26
    Credits
    XCES (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T07:01:56.692Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?id.233476"
              },
              {
                "tags": [
                  "signature",
                  "permissions-required",
                  "x_transferred"
                ],
                "url": "https://vuldb.com/?ctiid.233476"
              },
              {
                "tags": [
                  "exploit",
                  "x_transferred"
                ],
                "url": "https://github.com/mohdkey/cve/blob/main/kodbox.md"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "WebConsole Plug-In"
              ],
              "product": "kodbox",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.26"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "analyst",
              "value": "XCES (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in kodbox 1.26. It has been declared as critical. This vulnerability affects the function Execute of the file webconsole.php.txt of the component WebConsole Plug-In. The manipulation leads to os command injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-233476. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
            },
            {
              "lang": "de",
              "value": "In kodbox 1.26 wurde eine Schwachstelle ausgemacht. Sie wurde als kritisch eingestuft. Das betrifft die Funktion Execute der Datei webconsole.php.txt der Komponente WebConsole Plug-In. Dank Manipulation mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5.2,
                "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 OS Command Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-23T14:51:45.825Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.233476"
            },
            {
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.233476"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/mohdkey/cve/blob/main/kodbox.md"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-07-10T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2023-07-10T00:00:00.000Z",
              "value": "CVE reserved"
            },
            {
              "lang": "en",
              "time": "2023-07-10T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2023-07-27T14:03:29.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "kodbox WebConsole Plug-In webconsole.php.txt Execute os command injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2023-3607",
        "datePublished": "2023-07-10T21:00:05.507Z",
        "dateReserved": "2023-07-10T19:44:59.934Z",
        "dateUpdated": "2024-08-02T07:01:56.692Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-29790 (GCVE-0-2023-29790)

    Vulnerability from cvelistv5 – Published: 2023-05-12 00:00 – Updated: 2025-01-24 19:39
    VLAI
    Summary
    kodbox 1.2.x through 1.3.7 has a Sensitive Information Leakage issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-426 - Untrusted Search Path
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:14:39.909Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.mo60.cn/index.php/archives/kodbox.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-29790",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-24T19:39:26.080856Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-426",
                    "description": "CWE-426 Untrusted Search Path",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-24T19:39:30.236Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "kodbox 1.2.x through 1.3.7 has a Sensitive Information Leakage issue."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-12T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://blog.mo60.cn/index.php/archives/kodbox.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-29790",
        "datePublished": "2023-05-12T00:00:00.000Z",
        "dateReserved": "2023-04-07T00:00:00.000Z",
        "dateUpdated": "2025-01-24T19:39:30.236Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-29791 (GCVE-0-2023-29791)

    Vulnerability from cvelistv5 – Published: 2023-05-11 00:00 – Updated: 2025-01-28 20:40
    VLAI
    Summary
    kodbox <= 1.37 is vulnerable to Cross Site Scripting (XSS) via the debug information.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • n/a
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T14:14:39.946Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://blog.mo60.cn/index.php/archives/kodbox-xss.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 6.1,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-29791",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-28T20:36:23.589549Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-79",
                    "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-01-28T20:40:06.493Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "kodbox \u003c= 1.37 is vulnerable to Cross Site Scripting (XSS) via the debug information."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-11T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://blog.mo60.cn/index.php/archives/kodbox-xss.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2023-29791",
        "datePublished": "2023-05-11T00:00:00.000Z",
        "dateReserved": "2023-04-07T00:00:00.000Z",
        "dateUpdated": "2025-01-28T20:40:06.493Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }