BooleBox Secure File Sharing Utility before 4.2.3.0 allows stored XSS via a crafted avatar field within My Account JSON data to Account.aspx.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13248
Reference (s):
- https://app.boolebox.com/release/vulnerabilities/CVE-2020-13247-13248.html
- https://members.backbox.org/boolebox-secure-sharing-multiple-vulnerabilities/