Bluebox
Monthly
Cross-site scripting in stephen-kruger bluebox up to version 4.5.12 allows remote attackers to inject and execute arbitrary JavaScript in victims' browsers by manipulating the 'code' argument in an unspecified function. The attack requires user interaction (CVSS 4.0 UI:P), meaning a victim must be induced to click a crafted link or visit a malicious page. A public exploit exists via a GitHub issue report, though no CISA KEV listing confirms active widespread exploitation. The CVSS 4.0 score of 2.1 reflects the constrained integrity-only impact and passive user-interaction requirement.
Cross-site scripting in stephen-kruger bluebox up to version 4.5.12 allows remote attackers to inject and execute arbitrary JavaScript in victims' browsers by manipulating the 'code' argument in an unspecified function. The attack requires user interaction (CVSS 4.0 UI:P), meaning a victim must be induced to click a crafted link or visit a malicious page. A public exploit exists via a GitHub issue report, though no CISA KEV listing confirms active widespread exploitation. The CVSS 4.0 score of 2.1 reflects the constrained integrity-only impact and passive user-interaction requirement.