Description
LEX Baza Dokumentów is vulnerable to DOM-based XSS in "em" cookie parameter. The application unsafely
processes the parameter on the client side, allowing an attacker to execute arbitrary
JavaScript in the context of the victim's browser.
An attacker with ability to set a cookie can perform a more severe attack, so we evaluate the impact and risk of exploitation as minimal. However, the vendor considered this a vulnerability and released a security patch.

This issue was fixed in version 1.3.4.
Published: 2026-04-30
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LEX Baza Dokumentów is vulnerable to a DOM‑based cross‑site scripting flaw through the "em" cookie parameter. The application processes this cookie value on the client side without proper sanitization, which allows an attacker to inject arbitrary JavaScript that executes in the victim’s browser context. This weakness corresponds to CWE‑79 and results in the compromise of confidentiality, integrity, or availability only within the victim’s session, as the payload runs in the client’s environment.

Affected Systems

The affected product is Wolters Kluwer Polska LEX Baza Dokumentów. Vulnerable versions are those released before the security patch that shipped in version 1.3.4. No other specific release identifiers are provided.

Risk and Exploitability

The CVSS score of 4.6 places the vulnerability in the medium category, and the EPSS score is unavailable; the issue is not listed in the CISA KEV catalog. Exploitation requires the attacker to set or spoof the "em" cookie for the target domain, which is typically achievable only if the attacker can influence the victim’s browser (e.g., through a malicious site or phishing). Because the attack surface is limited to client‑side cookie manipulation, the practical risk is considered minimal, but the vendor still released a patch to mitigate the flaw.

Generated by OpenCVE AI on April 30, 2026 at 13:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to LEX Baza Dokumentów 1.3.4 or later, which contains the vendor‑issued fix.
  • If an upgrade is not possible immediately, configure the browser or application environment to block or strip the "em" cookie before it is processed client side.
  • Monitor web traffic for suspicious cookie assignments to "em" and consider WAF or security plug‑ins that prevent ‘document.cookie’ manipulation.

Generated by OpenCVE AI on April 30, 2026 at 13:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Wolters Kluwer Polska
Wolters Kluwer Polska lex Baza Dokumentów
Vendors & Products Wolters Kluwer Polska
Wolters Kluwer Polska lex Baza Dokumentów

Thu, 30 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
Description LEX Baza Dokumentów is vulnerable to DOM-based XSS in "em" cookie parameter. The application unsafely processes the parameter on the client side, allowing an attacker to execute arbitrary JavaScript in the context of the victim's browser. An attacker with ability to set a cookie can perform a more severe attack, so we evaluate the impact and risk of exploitation as minimal. However, the vendor considered this a vulnerability and released a security patch. This issue was fixed in version 1.3.4.
Title Cross-Site Scripting in LEX Baza Dokumentów
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Wolters Kluwer Polska Lex Baza Dokumentów
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-04-30T13:04:44.255Z

Reserved: 2026-01-27T14:52:25.033Z

Link: CVE-2026-1493

cve-icon Vulnrichment

Updated: 2026-04-30T13:04:40.855Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-30T12:16:23.120

Modified: 2026-04-30T15:48:26.580

Link: CVE-2026-1493

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:21:27Z

Weaknesses