2.10.4
CVE-2022-0965 is a stored Cross-Site Scripting (XSS) vulnerability affecting Showdoc versions 2.10.4 and earlier. This vulnerability arises from the insecure handling of .ofd file uploads, allowing attackers to inject malicious JavaScript code. Successful exploitation can lead to session hijacking, defacement, and other malicious actions. Affected versions include all installations of Showdoc prior to version 2.10.4; upgrading to the patched version is essential.
An attacker can exploit this vulnerability by uploading a specially crafted .ofd file to a Showdoc instance. This file contains malicious JavaScript code that will be executed in the context of the user's browser when they view the uploaded file. This can lead to a variety of attacks, including session hijacking, where the attacker gains control of the user's account. The attacker could also inject malicious scripts into the Showdoc interface, potentially defacing the website or redirecting users to phishing sites. The blast radius extends to all users who interact with the vulnerable Showdoc instance, making it a significant security risk.
CVE-2022-0965 was publicly disclosed on March 15, 2022. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the potential impact make it a likely target. There are publicly available proof-of-concept (POC) exploits demonstrating the vulnerability. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.38% (60% percentile)
CVSS Vector
The primary mitigation for CVE-2022-0965 is to upgrade Showdoc to version 2.10.4 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing strict input validation on uploaded files, specifically .ofd files, to prevent the injection of malicious code. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly scan Showdoc installations for vulnerabilities using automated security tools.
Actualice Showdoc a la versión 2.10.4 o posterior. Esta versión contiene una corrección para la vulnerabilidad XSS almacenada. La actualización se puede realizar descargando la nueva versión del repositorio y reemplazando los archivos existentes.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-0965 is a critical stored XSS vulnerability in Showdoc versions up to 2.10.4, allowing attackers to inject malicious JavaScript via .ofd file uploads.
Yes, if you are running Showdoc version 2.10.4 or earlier, you are vulnerable to this XSS attack. Upgrade to the latest version (2.10.4+) immediately.
Upgrade Showdoc to version 2.10.4 or later. Implement strict input validation for .ofd files as a temporary workaround if upgrading is not immediately possible.
While no active campaigns have been confirmed, the vulnerability is easily exploitable and a likely target for attackers. Public POCs are available.
Refer to the Showdoc project's official website or GitHub repository for the latest security advisories and updates related to CVE-2022-0965.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.