Full Report
Cross-site Scripting vulnerability (CVE-2026-1493) has been found in LEX Baza Dokumentów software.
Analysis Summary
# Vulnerability: DOM-based Cross-Site Scripting (XSS) in LEX Baza Dokumentów
## CVE Details
- **CVE ID**: CVE-2026-1493
- **CVSS Score**: Not explicitly provided (Vendor and CERT Polska evaluate the risk as **Minimal**)
- **CWE**: CWE-79 (Improper Neutralization of Input During Web Page Generation)
## Affected Systems
- **Products**: LEX Baza Dokumentów (by Wolters Kluwer Polska)
- **Versions**: All versions prior to 1.3.4
- **Configurations**: Default installations processing client-side cookies.
## Vulnerability Description
LEX Baza Dokumentów is susceptible to a **DOM-based Cross-Site Scripting (XSS)** vulnerability residing in the `em` cookie parameter. The application performs unsafe client-side processing of this specific parameter, failing to properly neutralize input before rendering it in the Document Object Model (DOM). This allows for the execution of arbitrary JavaScript within the context of the victim's session.
## Exploitation
- **Status**: Not exploited (Reported via Coordinated Vulnerability Disclosure)
- **Complexity**: High (Requires the attacker to have the ability to set or manipulate a cookie on the victim's browser)
- **Attack Vector**: Network (specifically via client-side injection)
## Impact
- **Confidentiality**: Low (Potential access to session tokens or sensitive data rendered in the DOM)
- **Integrity**: Low (Ability to modify the appearance of the page or perform actions on behalf of the user)
- **Availability**: None
## Remediation
### Patches
- **Version 1.3.4**: The vendor, Wolters Kluwer Polska, has released version 1.3.4 which successfully addresses this flaw. Users should update to this version or newer.
### Workarounds
- No specific workarounds were provided; however, standard browser security practices and clearing cookies can mitigate temporary risk.
## Detection
- **Indicators of Compromise**: Presence of malicious scripts or unusual payloads within the `em` cookie value.
- **Detection methods and tools**: Web application security scanners (DAST) capable of analyzing DOM-based XSS or manual inspection of client-side scripts processing the `em` cookie.
## References
- CERT Polska Advisory: hxxps[://]cert[.]pl/en/posts/2024/04/CVE-2026-1493/ (Note: Date in source text implies future-dated or placeholder 2026)
- CVE Record: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-1493
- CWE-79 Definition: hxxps[://]cwe[.]mitre[.]org/data/definitions/79[.]html