CVE-2020-13248
Description
BooleBox Secure File Sharing Utility before 4.2.3.0 allows stored XSS via a crafted avatar field within My Account JSON data to Account.aspx.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BooleBox Secure File Sharing Utility before 4.2.3.0 contains a stored XSS vulnerability via the avatar field in My Account JSON data.
Vulnerability
BooleBox Secure File Sharing Utility versions before 4.2.3.0 are affected by a stored cross-site scripting (XSS) vulnerability in the avatar field of the My Account section. An attacker can craft a malicious payload in the avatar field, which is sent to the server as a base64-encoded sequence and stored. The payload is then executed when other users view the attacker's profile. [2]
Exploitation
An authenticated user can modify their avatar field under My Account. The avatar is submitted as JSON data to Account.aspx. By inserting a malicious JavaScript payload (e.g., via script tags) into the avatar field, the attacker can cause arbitrary script execution in the browser of any user who views the attacker's profile. No additional user interaction is required beyond viewing the profile. [2]
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, data theft, or defacement within the BooleBox application. The attacker's script runs with the privileges of the victim user. [2]
Mitigation
The vulnerability is fixed in version 4.2.3.0. The fix includes validation of the avatar field to prevent malicious input. Users should upgrade to version 4.2.3.0 or later. [2]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- BooleBox/Secure File Sharing Utilitydescription
- Range: <4.2.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing server-side sanitization of the avatar JSON parameter allows injection of arbitrary JavaScript into an HTML img tag."
Attack vector
An attacker with a basic account sends a POST request to `/BS/Account.aspx` with a crafted `"avatar"` JSON parameter that contains a JavaScript payload instead of a valid base64-encoded image [ref_id=1]. For example, the value `"\" onerror=\"alert('xss')"` causes the application to store the payload and later embed it unsanitized into an `
Affected code
The vulnerable endpoint is `hostname/BS/Account.aspx` accessed via POST. The vulnerable parameter is the `"avatar"` JSON field within the request body [ref_id=1]. The application fails to sanitize the avatar value before embedding it in an `
What the fix does
The advisory does not provide a patch diff or specific fix code [ref_id=1]. The remediation guidance implied by the disclosure is that the application must properly validate and sanitize the `"avatar"` parameter on the server side before storing it, ensuring it is a legitimate base64-encoded image and that no HTML/JavaScript can be injected into the rendered `
Preconditions
- authAttacker must have a basic authenticated account on the BooleBox platform
- networkAttacker must be able to send a POST request to /BS/Account.aspx with a crafted JSON body
- inputThe victim must click on the attacker's username in the top-right area of the main application page to trigger the Ajax retrieval of the stored avatar
Reproduction
1. Log in to the BooleBox application with a basic user account. 2. Send a POST request to `/BS/Account.aspx` with the JSON body: `{"action":3,"name":null,"surname":null,"avatar":"\" onerror=\"alert('xss')","inApp":false}` [ref_id=1]. 3. As a victim user, click on the attacker's username displayed in the top-right corner of the main page. The stored payload will be retrieved via Ajax and executed in the victim's browser [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- app.boolebox.com/release/vulnerabilities/CVE-2020-13247-13248.htmlmitrex_refsource_MISC
- members.backbox.org/boolebox-secure-sharing-multiple-vulnerabilities/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.